Back in the Windows Vista days, we introduced a new security delegation module called Credential Security Service Provider (CredSSP). This was originally designed to work with Terminal Services because everything in Terminal Services is basically a second hop.
CredSSP 101:
1) On client computer, I need to use the Enable-WSManCredSSP cmdlet to enable the client role and then specify the computer to which I want to delegate my credentials. This command is shown here.
Enable-WSManCredSSP -Role Client -DelegateComputer remoteserver.mydomain.local -Force
2) Now, I also need to make a change on the remote server to permit it to use delegated credentials. This command is shown here.
Enable-WSMaCredSSP -Role Server –Force
3) Always on remote server,
Also: Note: Remoting is turned off by default and you have to run Enable-PSRemoting to turn it on.
PS> Get-PSSessionConfiguration |fl *
If you decide you want to allow others, what you do is run the command:
PS> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI ; the GUI Appears, add your account you want to allow remote access and check the boxes Read(get,enumerate,suscribe) and Execute(invoke):
Confirm
Are you sure you want to perform this action?
Performing operation “Set-PSSessionConfiguration” on Target “Name: Microsoft.PowerShell”.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): y
4) Always on the remote server, stop and start winRM
net stop winrm
net start winrm
5) from the client computer, you can use the following powershell script using credssp:
- When making the PS Session, ensure that I use –Authentication CredSSP.
- When making the PS Session, ensure that I use the FQDN of the remote server. (This is true because I specified the delegate computer as *.mydomain.net. If I had specified the delegate computer as Sql1.mydomain.net, I would not need the FQDN.)
My use CredSSP script is shown here.
$credential = Get-Credential -Credential mydomain\administrator
$session = New-PSSession -cn remoteserver.mydomain.local -Credential $credential -Authentication Credssp
Invoke-Command -Session $session -ScriptBlock { … }
Invoke-Command -Session $session -ScriptBlock { Get-WUHistory }
etc…
WinRM troubleshooting:
you first have to enable non-Kerberos connections
(remember that without Kerberos, you no longer know for sure that the target computer really is the computer it pretends
to be):Set-Item WSMan:\localhost\Client\TrustedHosts * -Force
