Powershell – Using defaultAuthenticationType with PowerShell Web Access

credssppowershell

PowerShell web access lets you choose the authentication type. By default, it uses a value of Default, which ends up being Negotiate. I have set up CredSSP to allow logging into the PSWA server itself with CredSSP, so that network authentication works from within the session (avoids a double hop issue, without delegating credentials all over the network).

Anyway, I want CredSSP to be the default option on the sign-in page.

Looking into the configuration options for the PSWA web app in IIS, there are several values that can be set to override the defaults.

One of them is called defaultAuthenticationType which is a string but is set to 0.

This seems like the right setting, but I can't get it to work.

If I inspect the sign in web page I can see that the select box has the following values:

0   Default
1   Basic
2   Negotiate
4   CredSSP
5   Digest
6   Kerberos

3 is missing.

JosefZ found that 3 is NegotiateWithImplicitCredential according to this page, but on Windows PowerShell 5.1.15063.966 for me that name/value is missing from the enum.

If I set defaultAuthenticationType to a number, then the web page defaults to a new option:

7   Admin Specified

I have tried 3 and 4, but neither one works. The login happens using Kerberos, and CredSSP is not used.

If I select CredSSP manually it works as expected.

If I set defaultAuthentcationType to a string like CredSSP, no Admin Specified option appears and it just defaults to Default again, and still Kerberos authentication is used.

Has anyone been able to successfully set this? Web results have been very lacking.

Best Answer

try following this guide it should get you where you want to go. https://www.petri.com/powershell-web-access-configuration

here is the section you want. 
PowerShell
1
Add-PswaAuthorizationRule : This command must be run by a user account with permissions to perform Active Directory queries.
If you run the command in an interactive (i.e. not via remoting) session on the server it should work just fine. The problem here is the second hop. The Add-PSwaAuthorizationRule cmdlet needs to make a connection to a domain controller, which by security design is not allowed in PowerShell Remoting. This second-hop limitation can be overcome by enabling CredSSP authentication. Note: This is not be done lightly as there are security ramifications, so research this fully before employing.

But in my situation, since I want to use remoting, I’ll exit out of the remote session and enable CredSSP on my desktop for CHI-WEB01.

PowerShell
1
PS C:\> Enable-WSManCredSSP -DelegateComputer chi-web01 -Role Client
Next, I need to enable the server side.

PowerShell
1
PS C:\> invoke-command {enable-wsmancredssp -Role Server -Force} -ComputerName chi-web01
With this in place, I can now re-establish my remote session specifying CredSSP and my credentials.

PowerShell
1
PS C:\> enter-pssession chi-web01 -Authentication Credssp -Credential globomantics\jeff
Now when I run the authorization command, it works as you can see below in Figure 3.

Related Solutions

Powershell – How to troubleshoot a remote wmi query/access failure

Are you seeing event ID 673 in the security log? I suspect your workstation or your account is somehow not authenticating properly to the domain. I'd try the same query from the 2k8 system to the 2003 system and see if it fails. If it does try it with another account and see if that still fails. The kerberos error is referring to an anonymous login that was denied.

Powershell – Cannot get CredSSP authentication to work in PowerShell

I came back to this after a brief hiatus to look again with fresh eyes (both mine and a co-worker) and decided to go back to the basics again:

On the client I executed (in administrator shell):

enable-wsmancredssp -role client -delegatecomputer devremvm03 -force

On the server I executed (in administrator shell):

enable-wsmancredssp -role server -force

Both returned normal output indicating CredSSP was now "true".

I then used the following exerciser code to walk through increasing levels of complexity:

$block = {
  Write-Host ("hello, world: {0}, {1}" -f $env:USERNAME, (hostname))
}
$username = "test_user"
$password = "..."   
$adjPwd = $password | ConvertTo-SecureString -asPlainText -Force
$testCred = (New-Object System.Management.Automation.PSCredential($username,$adjPwd))    

switch ($choice)
{
  "basic"       { Invoke-Command $block }
  "remote"      { Invoke-Command $block -computername $serverName }
  "credentialA" { Invoke-Command $block -computername $serverName -credential $testCred  }
  "credentialB" { Invoke-Command $block -computername $serverName -credential $testCred  -Authentication Credssp}
  "session"     { 
      $testSession = New-PSSession -computername $serverName -credential $testCred -Authentication Credssp
      if ($testSession) { Invoke-Command $block -Session $testSession; Remove-PSSession $testSession }
      }
}

All of that is in my run.ps1 script so the transcript went as follows (and this ran in a non-administrator shell):

PS C:\> .\run.ps1 basic
hello, world: msorens, MyLocalMachine
PS C:\> .\run.ps1 remote MyRemoteServer
hello, world: msorens, MyRemoteServer
PS C:\> .\run.ps1 credentialA MyRemoteServer
hello, world: test_user, MyRemoteServer
PS C:\> .\run.ps1 credentialB MyRemoteServer
hello, world: test_user, MyRemoteServer
PS C:\> .\run.ps1 session MyRemoteServer
hello, world: test_user, MyRemoteServer

Previously, only basic, remote, and credentialA worked. Now all 5 work. Whew!

Best Answer

Related Solutions

Powershell – How to troubleshoot a remote wmi query/access failure

Powershell – Cannot get CredSSP authentication to work in PowerShell

Related Topic