Powershell Remoting: Transport Exception - powershell

Here's the code I'm using:
const string username = "domain\\user";
const string password = "password";
var credentials = new PSCredential(username, password.ToSecureString());
var connInfo = new WSManConnectionInfo(new Uri("https://server.domain.com/powershell"), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", credentials)
{AuthenticationMechanism = AuthenticationMechanism.Negotiate};
var rS = RunspaceFactory.CreateRunspace(connInfo);
rS.Open();
Here's the Exception:
Connecting to remote server server.domain.com failed with the following error message: The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify the computer name as the remote destination. Also verify that the client computer and the destination computer are joined to a domain. To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by server: For more information, see the about_Remote_Troubleshooting Help topic.
So here's my confusion.
I checked the WSMan:\localhost\Client on the client computer, and made sure AllowUnencrypted was $true.
I checked WSMan:\localhost\Service on the server and made sure AllowUnencrypted was $true.
WSMan:\localhost\Service\Auth has Negotiate as well as Kerberos set to $true as well.
What else can I check to get rid of the exception?

I have no way to test this, but after looking at another example at an MSDN Blog, it seems that you need to update your connInfo line to add the servername, no matter which credentials you choose to use.
var connInfo = new WSManConnectionInfo(new Uri("https://server.domain.com/powershell", ADD_SERVER_NAME_HERE), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", credentials) { AuthenticationMechanism = AuthenticationMechanism.Negotiate };

Related

Authenticate to Hadoop REST API via keytab file from WIndows domain

I'm trying to access Kerberized Hadoop cluster REST APIs from my .NET client using WebRequests. I'm using credentials from my ActiveDirectory domain, which has trust relations with the Hadoop realm:
NetworkCredential credentials = new NetworkCredential("user", "password", "ACTIVEDIRECTORY.DOMAIN");
WebRequest request = WebRequest.Create(System.Uri.EscapeUriString(url));
request.Credentials = credentials;
request.Method = "GET";
WebResponse response = await request.GetResponseAsync();
My workflow works fine as I see 3 responses on my requests:
HTTP/1.1 401 Authentication required
HTTP/1.1 307 TEMPORARY_REDIRECT
HTTP/1.1 200 OK
In my second request I see a Kerberos token sent as a separate security header:
Authorization: Negotiate YIIDXAYGKwYBBQUCoIIDUDCCA...
But this is my UPN account and I want to replace it with the SPN with a keytab instead of password as application will act as a standalone WCF service and I don't want to mess with web config security containers.
So my questions are:
1) Is it possible to use keytab instead my UPN creadentials to generate SPENGO Negotiate token after the first request?
2) Is there any way to use already obtained ticket from by cache in my WebRequest object?
3) How my Kerberos token is been generated? Is it an GSSAPI-encripted by version of my Username-Password?
I was trying to use MIT Kerberos Manager utilites for that by not much progress there.
Thanks in advance

[FATAL]RESULT=-1&RESPMSG=Failed to connect to host Input Server Uri = https://payflowpro.paypal.com/

My client can’t hit paypal from CRM.
We are getting the following error:
The following information was included with the event:
Transaction Errors from PayFlow Submit Transactions = Message 1
[FATAL]RESULT=-1&RESPMSG=Failed to connect to host Input Server Uri = https://payflowpro.paypal.com/
I have already done the following:
Go to C:\ProgramData\Microsoft\Crypto\RSA and verify "Network Services" has Read permission to "MachineKeys" folder. If not, add it.
Enabled TLS 1.0 in IIS Crypto
Awaiting your response.
Regards,
Pankaj

ADFS: Error while establishing SSO Connection on windows server 2012

When i access my sing-on url(https://abcd.avcd.ac/adfs/ls/IdpInitiatedSignOn.aspx) from my code to establish connection with adfs, I get error as:
A WS-Trust endpoint that was configured could not be opened.
Additional Data
Address: https://win-3723jtvfe02.abcd.avcd.ac/adfs/services/trust/2005/windowstransport
Mode: WindowsTransport
Error:
MSIS0006: A Service Principal Name is not registered for the AD FS service account.
And I also get warning as:
The SSL certificate does not contain all UPN suffix values that exist in the enterprise.
Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.
Please help me to figure out this issue.
For the SPN issue, you'll need to get that registered. There is a nice article about that on technet here: http://social.technet.microsoft.com/wiki/contents/articles/1427.ad-fs-2-0-how-to-configure-the-spn-serviceprincipalname-for-the-service-account.aspx
If you're not using the Workplace-Join feature of ADFS 2012 R2, then you don't have to worry about that other error. If you do want to address it, though, check out the docs here: https://technet.microsoft.com/en-us/library/dn614658.aspx

Kerberos: difference between UPN and SPN

I'm now kerberizing a cross-platform application with GSSAPI.
While I'm not clear about the difference between UPN and SPN.
The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.).
I create a new user foobar:users to run the application.
When I use foobar#EXAMPLE.COM, i.e. the UPN, to authenticate the application against Kerberos, I keep receiving
Kerberos: Principal may not act as server ERROR
Following a thread on Samba maillist, I think I should create a service principal name say app/dc.example.com for the UPN with samba-tool
samba-tool spn add app/dc.example.com foobar
This time I will receive another error
Samba4 KDC - no such entry found in hdb
My question is what's the difference between a UPN and SPN?
By samba-tool spn list foobar, it says foobar has servicePrincipalName app/dc.example.com.
How could I associate a UPN with an SPN?
Thank you very much.
Simply put,
UPN: An entity performing client requests to some service. Entity may be human or machine. See here.
SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Machine only. See here.
A UPN retrieves a service ticket for an SPN to use that actual service.
If your samba-tool call your request samba to register the SPN app/dc.example.com to the UPN foobar. Since You have not provided the realm of the SPN and UPN, Samba will assume the default realm of the machine this call is performed from. In Windows terms, you mostly bind an SPN to a machine UPN. Which is always: <name>$#<REALM>. Note the dollar sign.

exchange web services x509 Certivicate

I am trying to connect to Exchange Web Services to send an email on behalf of a user through my own Web Service (ASP/WCF). My code works fine when running on a desktop PC able to connect to the exchange server but when operating over the internet the exchange server can not be accessed, thus I am trying to connect through my web server instead.
I am looking for ways to login as another user without using Exchange Web Services impersonation (as I have been told to not use that unless there is absolutely no other way) and without the user providing their password.
I have the following code:
Dim service As New Microsoft.Exchange.WebServices.Data.ExchangeService(Microsoft.Exchange.WebServices.Data.ExchangeVersion.Exchange2007_SP1)
Dim emailAddress As String = "example#example.com"
System.Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf CertificateValidationCallBack
Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(HttpContext.Current.Request.ClientCertificate.Certificate)
service.Credentials = New Microsoft.Exchange.WebServices.Data.WebCredentials(New System.Security.Cryptography.X509Certificates.X509Certificate())
service.UseDefaultCredentials = False
But this does not work because of an Unable to cast object of type 'System.Security.Cryptography.X509Certificates.X509Certificate' to type 'System.Net.ICredentials'. exception.
Can anyone direct me on how I might use an X509 certificate to authenticate against Exchange Web Services rather than using network credentials or username/password
I have been using this without error
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;