Setting up the CredSSP access for multi-hop

I’ve previously shown the way to set  up the multi-hop access with RunAs, but nowadays the PowerShell team had added the great commands that make the CredSSP setup easy, and it became easier to use than RunAs. Here is how to do it.

On the server side do:

$null = Enable-WSManCredSSP -Role Server -Force

On the client side do:

$null = Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force
$null = mkdir -Force "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials"
Set-ItemProperty -LiteralPath "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials" -Name "my" -Value "wsman/*" -Type STRING
$null = mkdir -Force "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"
Set-ItemProperty -LiteralPath "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -Name "my" -Value "*" -Type STRING

Obviously, on the intermediate machines you’ll need to set up both the server and client sides.

Instead of “*” you can use a pattern or a comma-separated list of patterns of the host names. “*” just enables it for all the hosts.

The messing with the Registry is needed to set up the group policies to allow CredSSP. You can do the same from the GUI. But the command line is easier, and also can be used on NanoServer that has no GUI, and can be executed remotely in general.

By the way, while at it, here is a reminder of how to set up the client side for the plain basic connection:

Set-Item -Force WSMan:\localhost\Client\TrustedHosts "*"
Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted "true"


Comments (0)

Skip to main content