Powershell remoting - Policy does not allow the delegation of user credentials

powershell powershell-remoting winrm
ChrisB picture ChrisB · Aug 7, 2013 · Viewed 46.5k times · Source

I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:

$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }

Before running it, I did the following:

  1. Run Enable-PSRemoting on myserver.
  2. Run Enable-WSManCredSSP Server on myserver.
  3. Run Restart-Service WinRM on myserver.
  4. Run Enable-WSManCredSSP Client –DelegateComputer myserver on the client.
  5. Rebooted both the server and the client.

But once I run the script, I get the following error message:

[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
 the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed

I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?

Answer

Akira Yamamoto picture Akira Yamamoto · Dec 5, 2013

Do the following on the server:

Enable-WSManCredSSP -Role Server

Do the following on the client:

set-item wsman:localhost\client\trustedhosts -value *

Enable-WSManCredSSP -Role Client –DelegateComputer *

Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:

  1. Expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credential Delegation.
  2. In the Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
  3. In the Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:
  4. Click Enabled.
  5. In the Options area, click Show.
  6. In Value, type WSMAN/*, and then click OK. Make sure that Concatenate OS defaults with input above is selected, and then click OK.

The following command now works (after a password prompt):

Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user

See MSDN forums.

See TechNet

Related questions

WinRM cannot process the request - fails only over a specific domain

Some of ours servers (W2K8 R2) were moved to the cloud last week, once done that my powerswhell script started to fail (was working fine before), the exception is thrown on the line where the connection is trying to …

Read More
"Access denied" on Remote winrm

I created a Windows VM on Windows Azure with winrm over SSL set. But, I can't connect it using a powershell script. When I'm running the following: ​Enter-PSSession -ConnectionUri https://myniceapp.cloudapp.net:5986 -Credential "hostname/username" -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) …

Read More
Checks about WinRM service in remote machine

I have seen great article PowerShell 2.0 remoting guide: Part 8 – remoting scenarios and troubleshooting http://www.ravichaganti.com/blog/?p=1181 I have this issue: I have two computers in domain, in network. First Test OK: Remoting to a computer in domain …

Read More