WINRM kerberos & Negotiate

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Dave Wyatt Dave Wyatt 2 years, 4 months ago.

  • Author
    Posts
  • #17789
    Profile photo of Biswajit
    Biswajit
    Participant

    Team,

    I read few articles & came to know that kerberos fallback does not supported by Powershell remoting. Then what does it mean by " [b] Negotiate = true"?
    [/b]
    Below ouput is the partial output of "[b] winrm g winrm/config".[/b]

    Auth
    Basic = true
    Digest = true
    Kerberos = true
    [b]Negotiate = true[/b]
    Certificate = true
    CredSSP = false
    DefaultPorts

  • #17792
    Profile photo of Adnan Rashid
    Adnan Rashid
    Participant

    Hello,

    This link might be helpful to give more information about each particular property: http://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

    From Microsoft definition they say the following:

    Allows the client to use Negotiate authentication. Negotiate authentication is a scheme in which the client sends a request to the server to authenticate. The server determines whether to use the Kerberos protocol or NTLM. The Kerberos protocol is selected to authenticate a domain account, and NTLM is selected for local computer accounts. The user name must be specified in domain\user_name format for a domain user. The user name must be specified in server_name\user_name format for a local user on a server computer. The default is True.

    That definition suggests that kerberos is supported, also if it wasn't then -credential shouldn't work when authenticating against another domain.

    Unless i haven't understood something properly here – hopefully someone else can correct me.

    Do you have the articles where they suggest it isn't?

  • #17794
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    I think you're probably referring to this page: [url="http://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx"]Authentication for Remote Connections[/url]. The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM. That's just the default, though; you can specify anything you like with the -Authentication parameter of various cmdlets, such as Invoke-Command and New-PSSession.

    Note that you may have to take some other steps as well, to get non-Kerberos authentication working. Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.

  • #17815
    Profile photo of Biswajit
    Biswajit
    Participant
  • #17816
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Hmm. That statement specifically mentions "WinRM with SCVMM". I'm not sure if SCVMM has some other limitations that are separate from what you can normally do with WinRM / PSRemoting.

You must be logged in to reply to this topic.