WINRM kerberos & Negotiate

This topic contains 4 replies, has 3 voices, and was last updated by  Dave Wyatt 3 years, 7 months ago.

  • Author
  • #17789



    I read few articles & came to know that kerberos fallback does not supported by Powershell remoting. Then what does it mean by " [b] Negotiate = true"?
    Below ouput is the partial output of "[b] winrm g winrm/config".[/b]

    Basic = true
    Digest = true
    Kerberos = true
    [b]Negotiate = true[/b]
    Certificate = true
    CredSSP = false

  • #17792

    Adnan Rashid


    This link might be helpful to give more information about each particular property:

    From Microsoft definition they say the following:

    Allows the client to use Negotiate authentication. Negotiate authentication is a scheme in which the client sends a request to the server to authenticate. The server determines whether to use the Kerberos protocol or NTLM. The Kerberos protocol is selected to authenticate a domain account, and NTLM is selected for local computer accounts. The user name must be specified in domain\user_name format for a domain user. The user name must be specified in server_name\user_name format for a local user on a server computer. The default is True.

    That definition suggests that kerberos is supported, also if it wasn't then -credential shouldn't work when authenticating against another domain.

    Unless i haven't understood something properly here – hopefully someone else can correct me.

    Do you have the articles where they suggest it isn't?

  • #17794

    Dave Wyatt

    I think you're probably referring to this page: [url=""]Authentication for Remote Connections[/url]. The default (assuming the client is in a domain, and is not connecting to itself via or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM. That's just the default, though; you can specify anything you like with the -Authentication parameter of various cmdlets, such as Invoke-Command and New-PSSession.

    Note that you may have to take some other steps as well, to get non-Kerberos authentication working. Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.

  • #17815

  • #17816

    Dave Wyatt

    Hmm. That statement specifically mentions "WinRM with SCVMM". I'm not sure if SCVMM has some other limitations that are separate from what you can normally do with WinRM / PSRemoting.

You must be logged in to reply to this topic.