WSMan and Basic authorization

Sergii picture Sergii · Jun 22, 2012 · Viewed 8.6k times · Source

I'm trying to get WSMan working using Basic authorizaion. I'm always getting Access Denied error. Kerberos authentiaction works fine.

Windows Remote Management service is running on Windows Server 2008 R2 in Domain A and has the following config:

Config
    MaxEnvelopeSizekb = 800
    MaxTimeoutms = 600000
    MaxBatchItems = 20
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;S-1-5-21-2516571543-3809851355-1508507046-1008)(A;;GA;;;BA)(A;;GAGXGWGR;;;S-1-5-21-3465154619-3242790773-2173928322-17804)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 200
        EnumerationTimeoutms = 600000
        MaxConnections = 15
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = true
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint = ee cd g2 5e 61 ad d0 07  07 b7 77 95 ec 38 16 02df 7f 64 51
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 180000
        MaxConcurrentUsers = 5
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 15
        MaxMemoryPerShellMB = 150
        MaxShellsPerUser = 5

I'm executing Test-WSMan on a Windows 7 workstation which is in domain B:

Test-WSMan -ComputerName https://server2008:5986 -Auth basic -Cred B\MY_USER_NAME

And getting the following error:

Test-WSMan : Access is denied.
At line:1 char:11
+ Test-WSMan -ComputerName https://server2008:5986 -Auth basic -Cred B\MY_USER_NAME
    + CategoryInfo          : InvalidOperation: (https://server2008:5986:5986:String) [Test-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

Note that the following command works fine:

Test-WSMan -ComputerName https://server2008:5986 -Auth kerberos

The following logs apear on Windows Server:

Error   6/22/2012 12:21:27 PM   Windows Remote Management   168 User authentication

General: Sending HTTP 401 response to the client and disconnect the connection after sending the response
Details:
    Log Name:      Microsoft-Windows-WinRM/Operational
    Source:        Microsoft-Windows-WinRM
    Date:          6/22/2012 12:21:27 PM
    Event ID:      168
    Task Category: User authentication
    Level:         Error
    Keywords:      Security,Server
    User:          NETWORK SERVICE
    Computer:      server2008
    Description:
        Sending HTTP 401 response to the client and disconnect the connection after sending the response

Can someone help me to solve this issue? Is this a configuration issue or am I doing something wrong?

Thanks.

Answer

user1578107 picture user1578107 · Jun 21, 2013

WinRM basic Auth does not honor domain. Basically you can only authenticate as a local user of the target machine