Author Posts

August 5, 2014 at 8:20 am

Team,

I read few articles & came to know that kerberos fallback does not supported by Powershell remoting. Then what does it mean by " [b] Negotiate = true"?
[/b]
Below ouput is the partial output of "[b] winrm g winrm/config".[/b]

Auth
Basic = true
Digest = true
Kerberos = true
[b]Negotiate = true[/b]
Certificate = true
CredSSP = false
DefaultPorts

August 5, 2014 at 8:39 am

Hello,

This link might be helpful to give more information about each particular property: http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

From Microsoft definition they say the following:

Allows the client to use Negotiate authentication. Negotiate authentication is a scheme in which the client sends a request to the server to authenticate. The server determines whether to use the Kerberos protocol or NTLM. The Kerberos protocol is selected to authenticate a domain account, and NTLM is selected for local computer accounts. The user name must be specified in domain\user_name format for a domain user. The user name must be specified in server_name\user_name format for a local user on a server computer. The default is True.

That definition suggests that kerberos is supported, also if it wasn't then -credential shouldn't work when authenticating against another domain.

Unless i haven't understood something properly here – hopefully someone else can correct me.

Do you have the articles where they suggest it isn't?

August 5, 2014 at 9:15 am

I think you're probably referring to this page: [url="http://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx"]Authentication for Remote Connections[/url]. The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM. That's just the default, though; you can specify anything you like with the -Authentication parameter of various cmdlets, such as Invoke-Command and New-PSSession.

Note that you may have to take some other steps as well, to get non-Kerberos authentication working. Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.

August 6, 2014 at 8:49 am

Hmm. That statement specifically mentions "WinRM with SCVMM". I'm not sure if SCVMM has some other limitations that are separate from what you can normally do with WinRM / PSRemoting.