I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
Before running it, I did the following:
Enable-PSRemoting
on myserver. Enable-WSManCredSSP Server
on myserver. Restart-Service WinRM
on myserver. Enable-WSManCredSSP Client –DelegateComputer myserver
on the client. But once I run the script, I get the following error message:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?
Do the following on the server:
Enable-WSManCredSSP -Role Server
Do the following on the client:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
Use gpedit.msc
on the client to enable Delegating Fresh Credentials to WSMAN/*:
Local Computer Policy
, expand Computer Configuration
, expand
Administrative Templates
, expand System
, and then click Credential Delegation
.Settings
pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication
.Allow Delegating Fresh Credentials with NTLM-only Server Authentication
dialog box, do the following:Enabled
.Options
area, click Show
.WSMAN/*
, and then click OK
. Make sure that
Concatenate OS defaults with input above
is selected, and then
click OK
.The following command now works (after a password prompt):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
See MSDN forums.
See TechNet