August 5, 2014 at 8:20 am #17789
I read few articles & came to know that kerberos fallback does not supported by Powershell remoting. Then what does it mean by " [b] Negotiate = true"?
Below ouput is the partial output of "[b] winrm g winrm/config".[/b]
Basic = true
Digest = true
Kerberos = true
[b]Negotiate = true[/b]
Certificate = true
CredSSP = false
August 5, 2014 at 8:39 am #17792
This link might be helpful to give more information about each particular property: http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx
From Microsoft definition they say the following:
Allows the client to use Negotiate authentication. Negotiate authentication is a scheme in which the client sends a request to the server to authenticate. The server determines whether to use the Kerberos protocol or NTLM. The Kerberos protocol is selected to authenticate a domain account, and NTLM is selected for local computer accounts. The user name must be specified in domain\user_name format for a domain user. The user name must be specified in server_name\user_name format for a local user on a server computer. The default is True.
That definition suggests that kerberos is supported, also if it wasn't then -credential shouldn't work when authenticating against another domain.
Unless i haven't understood something properly here – hopefully someone else can correct me.
Do you have the articles where they suggest it isn't?
August 5, 2014 at 9:15 am #17794
I think you're probably referring to this page: [url="http://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx"]Authentication for Remote Connections[/url]. The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM. That's just the default, though; you can specify anything you like with the -Authentication parameter of various cmdlets, such as Invoke-Command and New-PSSession.
Note that you may have to take some other steps as well, to get non-Kerberos authentication working. Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.
August 6, 2014 at 8:46 am #17815
August 6, 2014 at 8:49 am #17816
Hmm. That statement specifically mentions "WinRM with SCVMM". I'm not sure if SCVMM has some other limitations that are separate from what you can normally do with WinRM / PSRemoting.
You must be logged in to reply to this topic.