CredSSP for second-hop remoting

CredSSP for second-hop remoting

Rate This
  • Comments 3

PS C:\> $r = New-PSSession
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}
Enter password:
Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
At line:1 char:4
+ icm <<<<  $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}

l am trying to run Get-PfxCertificate in a remote runspace, but why does it fail? What is delegation?

PowerShell remoting supports a new authentication mechanism called CredSSP.  "CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP)."   See the following link for more info: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/25/724271.aspx  Here is a link to the CredSSP protocol specification: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf

To enable client-side SSP for winrm, run the following lines:
Enable-WSManCredSSP -Role client -DelegateComputer *

To enable server-side SSP for winrm:
Enable-WSManCredSSP -Role server

Now let's try the same scenario with a remote runspace created with CredSSP authentication.

PS C:\> $r = New-PSSession Fully.Qualified.Domain.Name -Auth CredSSP -cred domain\user
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx} | fl
Subject      : CN=Hula Monkey, OU=checkins, OU=monad
Issuer       : CN=Hula Monkey, OU=checkins, OU=monad
Thumbprint   : 613F82CEAF98C2457BD140AF3FBF7045FFFBAC90
FriendlyName :
NotBefore    : 7/7/2004 4:15:37 PM
NotAfter     : 12/31/2039 3:59:59 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
ComputerName : Fully.Qualified.Domain.Name
PS C:\> icm $r {$s=new-pssession}
PS C:\> icm $r {icm $s {whoami}}
domain\user
PS C:\>

Get-PfxCertificate now works in the remote runspace! I can also open another remote runspace inside the remote runspace, or access a network share inside the remote runspace. Enjoy!

To disable client-side SSP for winrm:
Disable-WSManCredSSP -Role client

To disable server-side SSP for winrm:
Disable-WSManCredSSP -Role server

Wei Wu [MSFT]
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post
  • Hello,

     When try to execute

    $r = New-Runspace internalComputername -cred domain\user

    in Powershell gives me error

    The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol.

    I want to know what it means and how to solve?

    I have also installed powershell 2.0 and WinRM to client machine to which i am trying to connect.

  • Hi,

    Can I use a some sort of mechanism together with Windows Server 2003?

  • Very helpful, it works. But WHY is this nescessary?

    The whole PowerShell remoting is so complicated. It should just run like a local PowerShell. Never had such problems with Telnet or Remote Shell...

Page 1 of 1 (3 items)