CredSSP for second-hop remoting

PowerShell Team

PS C:\> $r = New-PSSession
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}
Enter password:
Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
At line:1 char:4
+ icm <<<<  $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}

l am trying to run Get-PfxCertificate in a remote runspace, but why does it fail? What is delegation?

PowerShell remoting supports a new authentication mechanism called CredSSP.  “CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP).”   See the following link for more info: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/25/724271.aspx  Here is a link to the CredSSP protocol specification: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf

To enable client-side SSP for winrm, run the following lines:
Enable-WSManCredSSP -Role client -DelegateComputer *

To enable server-side SSP for winrm:
Enable-WSManCredSSP -Role server

Now let’s try the same scenario with a remote runspace created with CredSSP authentication.

PS C:\> $r = New-PSSession Fully.Qualified.Domain.Name -Auth CredSSP -cred domain\user
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx} | fl
Subject      : CN=Hula Monkey, OU=checkins, OU=monad
Issuer       : CN=Hula Monkey, OU=checkins, OU=monad
Thumbprint   : 613F82CEAF98C2457BD140AF3FBF7045FFFBAC90
FriendlyName :
NotBefore    : 7/7/2004 4:15:37 PM
NotAfter     : 12/31/2039 3:59:59 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
ComputerName : Fully.Qualified.Domain.Name
PS C:\> icm $r {$s=new-pssession}
PS C:\> icm $r {icm $s {whoami}}
domain\user
PS C:\>

Get-PfxCertificate now works in the remote runspace! I can also open another remote runspace inside the remote runspace, or access a network share inside the remote runspace. Enjoy!

To disable client-side SSP for winrm:
Disable-WSManCredSSP -Role client

To disable server-side SSP for winrm:
Disable-WSManCredSSP -Role server

Wei Wu [MSFT]
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

0 comments

Discussion is closed.

Feedback usabilla icon