Powershell remoting - Policy does not allow the delegation of user credentials

I finally got it to work thanks to this page. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:

Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com

$allowed = @('WSMAN/*.mydomain.com')

$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
    md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force            

$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
    md $key
}
$i = 1
$allowed |% {
    # Script does not take into account existing entries in this key
    New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
    $i++
}

Do the following on the server:

Enable-WSManCredSSP -Role Server

Do the following on the client:

set-item wsman:localhost\client\trustedhosts -value *

Enable-WSManCredSSP -Role Client –DelegateComputer *

Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:

  1. Expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credential Delegation.
  2. In the Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
  3. In the Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:
  4. Click Enabled.
  5. In the Options area, click Show.
  6. In Value, type WSMAN/*, and then click OK. Make sure that Concatenate OS defaults with input above is selected, and then click OK.

The following command now works (after a password prompt):

Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user

See MSDN forums.

See TechNet


Expanding upon Akira's answer above, in gpedit.msc I had to set "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" rather than "Allow Delegating Fresh Credentials".


I had to the need to fully automate my solution, particularly the part section in the solution that has you go into the GPO editor.

1) Enable Remote PS

Enable-PSRemoting -force

2) Enable CredSSP

Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force

3) Enable NTLM Fresh Credentials through the Registery:

New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String

Only after this was I able to launch powershell script as the local admin that was able to run in a PSSession and preform AD actions.

$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;

$sb = {
  param($p1, $p2)

  whoami

  New-ADUser ....
}

Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword

Tags:

Powershell

Powershell Remoting

Winrm

Recent Posts