Powershell – Cannot get CredSSP authentication to work in PowerShell

credssppowershellremotingwinrm

In attempting to create a PowerShell script using remoting I ran into what I believe is the double-hop problem. In that article, Perriman gives a succinct description of the problem as well as the specific steps to resolve the issue (almost trivial if you know the commands, but for someone less familiar like myself, that information was invaluable!).

I ran Enable-WSManCredSSP Server on my Win7 server without incident, but attempting to run Enable-WSManCredSSP Client –DelegateComputer <FQDN of the server> on my Win7 client generated this error:

Enable-WSManCredSSP : The client cannot connect to the destination specified
in the request. Verify that the service on the destination is running and
is accepting requests.
Consult the logs and documentation for the WS-Management service running
on the destination, most commonly IIS or WinRM. If the destination
is the WinRM service, run the following com mand on the destination
to analyze and configure the WinRM service: "winrm quickconfig".

Running winrm quickconfig confirmed my server was running WinRM:

WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.

And Get-WSManCredSSP confirmed my server was ready to accept credentials from a client:

The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.

I also found Boessen's article on WinRM wherein he describes general WinRM setup and found one tidbit to get a useful data point in diagnosis; this command run on the client uses the winrs tool to remotely access the server:

winrs -r:http://<FQDN of my server>:5985 -u:<myDomain>\msorens "dir c:\"

That command returned the expected result, the contents of the root directory on the server, without incident, confirming that my FQDN is correct and that WinRM is enabled.

Boessen indicates port 5985 is the default for Win7; this command run on the server confirms a value of 5985:

get-item wsman:\localhost\listener\listener*\port

The question:
Why am I unable to execute the Enable-WSManCredSSP command on the client side?

2011.06.07 Update

I found a solution to the above question: invoking Enable-PSRemoting, advertised to configure a computer to receive remote commands, allowed the Enable-WSManCredSSP on the client to work successfully! Curious, but its man page indicates it does a number of different actions, so I assume one of those inadvertantly did what I needed.

But then I reached another roadblock when I attempted to use CredSSP authentication. Here is the command:

Invoke-Command { Write-Host "hello, world" } -computername $serverName `
-credential $testCred  -Authentication Credssp

And here is the response:

Connecting to remote server failed with the following error message:
The WinRM client cannot process the request. A computer policy does not allow
the delegation of the user credentials to the target computer. Use gpedit.msc
and look at the following policy: Computer Configuration
-> Administrative Templates -> System -> Credentials Delegation
-> Allow Delegating Fresh Credentials.  Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example,
for a target computer name "myserver.domain.com", the SPN can be one of
the following: WSMAN /myserver.domain.com or WSMAN/*.domain.com.
For more information, see the about_Remote_Troubleshooting Help topic.

I verified the settings just as this remarkably helpful error message suggested, and it looks to me like it is configured properly.

The new question:
What does this remote connection attempt with CredSSP fail?

In answering please keep the following in mind:
Let me dispell in advance any notion that I know what I am doing here, any appearance to the contrary notwithstanding.:-) Windows admin is not my area of expertise!

Best Answer

I came back to this after a brief hiatus to look again with fresh eyes (both mine and a co-worker) and decided to go back to the basics again:

On the client I executed (in administrator shell):

enable-wsmancredssp -role client -delegatecomputer devremvm03 -force

On the server I executed (in administrator shell):

enable-wsmancredssp -role server -force

Both returned normal output indicating CredSSP was now "true".

I then used the following exerciser code to walk through increasing levels of complexity:

$block = {
  Write-Host ("hello, world: {0}, {1}" -f $env:USERNAME, (hostname))
}
$username = "test_user"
$password = "..."   
$adjPwd = $password | ConvertTo-SecureString -asPlainText -Force
$testCred = (New-Object System.Management.Automation.PSCredential($username,$adjPwd))    

switch ($choice)
{
  "basic"       { Invoke-Command $block }
  "remote"      { Invoke-Command $block -computername $serverName }
  "credentialA" { Invoke-Command $block -computername $serverName -credential $testCred  }
  "credentialB" { Invoke-Command $block -computername $serverName -credential $testCred  -Authentication Credssp}
  "session"     { 
      $testSession = New-PSSession -computername $serverName -credential $testCred -Authentication Credssp
      if ($testSession) { Invoke-Command $block -Session $testSession; Remove-PSSession $testSession }
      }
}

All of that is in my run.ps1 script so the transcript went as follows (and this ran in a non-administrator shell):

PS C:\> .\run.ps1 basic
hello, world: msorens, MyLocalMachine
PS C:\> .\run.ps1 remote MyRemoteServer
hello, world: msorens, MyRemoteServer
PS C:\> .\run.ps1 credentialA MyRemoteServer
hello, world: test_user, MyRemoteServer
PS C:\> .\run.ps1 credentialB MyRemoteServer
hello, world: test_user, MyRemoteServer
PS C:\> .\run.ps1 session MyRemoteServer
hello, world: test_user, MyRemoteServer

Previously, only basic, remote, and credentialA worked. Now all 5 work. Whew!

Related Solutions

Powershell – psremoting and credssp authentication to localhost

Connecting to the local computer should work just fine. However, just making a quick attempt myself, I had to use the computer name of the local computer to be able to connect, instead of localhost (guessing this has to do with NTLM vs Kerberos). So running the following commands (on a Windows Server 2008 R2 computer with PowerShell 2) forked fine for me:

Enable-WSManCredSSP -Role Server
Enable-WSManCredSSP -Role Client -DelegateComputer MyComputerNameHere
$session = New-PSSession -ComputerName MyComputerNameHere -Authentication Credssp -Credential (Get-Credential)

To get it to work on a non-domain-joined computer (on a Windows 8.1 computer with PowerShell 4), however, I had to also make a group policy change (which was mentioned in the error message provided). The configuration I needed to make was to Enable the Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials with NTLM-only Server Authentication configuration and also add the computer name to the computer name list in that policy. After that change, the above code worked just fine even on a non-domain-joined computer.

WinRM Failures – How to Fix Remote PowerShell Issues on Windows Server 2012 R2

Finally solved it, helped by the evidence I recently added to the question:

netsh http show iplist

IP addresses present in the IP listen list:
-------------------------------------------

127.0.0.1

On systems where this was working, that list was empty. This seemed rather counter-intuitive to me at first. Nevertheless, I gave this a go:

> netsh http delete iplisten ipaddress=127.0.0.1

Immediately after, I notice this output from netstat:

>netstat -anp tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49175          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49179          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49190          0.0.0.0:0              LISTENING
  TCP    10.115.63.107:139      0.0.0.0:0              LISTENING
  TCP    10.115.63.107:3389     10.115.13.25:64873     ESTABLISHED
  TCP    10.115.63.107:49235    192.168.40.146:445     ESTABLISHED
  TCP    10.115.63.107:49291    192.168.40.45:8014     ESTABLISHED
  TCP    169.254.34.30:139      0.0.0.0:0              LISTENING

And indeed, WinRM works like it should.

I surmise, via testing, that if no HTTP listener is configured, then all HTTP listeners will bind to the default entity: 0.0.0.0. Because a loopback address was configured as a listener address, the listener was binding to this address instead.

At some point, I must have taken some action that caused this configuration, though I'm not sure how. At any rate, it's working fine now. Thanks all.

Best Answer

Related Solutions

Powershell – psremoting and credssp authentication to localhost

WinRM Failures – How to Fix Remote PowerShell Issues on Windows Server 2012 R2

Related Topic