Powershell remoting - Policy does not allow the delegation of user credentials

ChrisB picture ChrisB · Aug 7, 2013 · Viewed 46.5k times · Source

I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:

$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }

Before running it, I did the following:

  1. Run Enable-PSRemoting on myserver.
  2. Run Enable-WSManCredSSP Server on myserver.
  3. Run Restart-Service WinRM on myserver.
  4. Run Enable-WSManCredSSP Client –DelegateComputer myserver on the client.
  5. Rebooted both the server and the client.

But once I run the script, I get the following error message:

[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
 the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed

I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?

Answer

Akira Yamamoto picture Akira Yamamoto · Dec 5, 2013

Do the following on the server:

Enable-WSManCredSSP -Role Server

Do the following on the client:

set-item wsman:localhost\client\trustedhosts -value *

Enable-WSManCredSSP -Role Client –DelegateComputer *

Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:

  1. Expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credential Delegation.
  2. In the Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
  3. In the Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:
  4. Click Enabled.
  5. In the Options area, click Show.
  6. In Value, type WSMAN/*, and then click OK. Make sure that Concatenate OS defaults with input above is selected, and then click OK.

The following command now works (after a password prompt):

Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user

See MSDN forums.

See TechNet