I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:
$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { <Some PowerShell Command> }
Before running it, I did the following:
Run Enable-PSRemoting on myserver.
Run Enable-WSManCredSSP Server on myserver.
Run Restart-Service WinRM on myserver.
Run Enable-WSManCredSSP Client –DelegateComputer myserver on the client.
Rebooted both the server and the client.
But once I run the script, I get the following error message:
[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delega
tion -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?
Do the following on the server:
Enable-WSManCredSSP -Role Server
Do the following on the client:
set-item wsman:localhost\client\trustedhosts -value *
Enable-WSManCredSSP -Role Client –DelegateComputer *
Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:
Expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand System, and then click Credential Delegation.
In the Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
In the Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:
Click Enabled.
In the Options area, click Show.
In Value, type WSMAN/*, and then click OK. Make sure that
Concatenate OS defaults with input above is selected, and then
click OK.
The following command now works (after a password prompt):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
See MSDN forums.
See TechNet
I finally got it to work thanks to this page. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com
$allowed = #('WSMAN/*.mydomain.com')
$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force
$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
md $key
}
$i = 1
$allowed |% {
# Script does not take into account existing entries in this key
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
$i++
}
I had to the need to fully automate my solution, particularly the part section in the solution that has you go into the GPO editor.
1) Enable Remote PS
Enable-PSRemoting -force
2) Enable CredSSP
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force
3) Enable NTLM Fresh Credentials through the Registery:
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String
Only after this was I able to launch powershell script as the local admin that was able to run in a PSSession and preform AD actions.
$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;
$sb = {
param($p1, $p2)
whoami
New-ADUser ....
}
Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword
Expanding upon Akira's answer above, in gpedit.msc I had to set "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" rather than "Allow Delegating Fresh Credentials".
Related
When Trying to invoke-Command against the Local Host I get access denied.
I have confirmed that PS remoting is enabled and the account is Administrator. Additionally Remoting in from remote machine works without issue.
Invoke-Command -computername LocalHost -scriptblock {hostname}
I expect to have the hostname of the local machine returned, however I receive Access denied Errors.
Enable PSRemoting Service to Start Automatic
on both host and remote machines
Set-Service winrm -StartupType Automatic
Start-Service winrm
Enable PSREmoting
On both host and remote machines
EnablePSRemoting -Force
Add computers to Trusted Hosts
On Remote machine
Set-Item wsman:\localhost\Client\TrustedHosts -Value "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"
Enable Multi Hopping in Powershell Remoting
Identify which hosts to allow passing of Creds
Enable-WSManCredSSP –Role Client –DelegateComputer "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"
On the source machine.
Enable-WSManCredSSP –Role Server
You must specify Authentication and a Credential
on Host Machine
$Cred = [System.Management.Automation.PSCredential]::new("<username>",$("<Password>" | ConvertTo-SecureString -AsPlainText -Force))
invoke-command -ComputerName localhost -ScriptBlock {Write-Host $args[0]} -ArgumentList "Hello!, It Works" -Authentication Credssp -Credential $cred
REFERENCE
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-6
The error:
New-PSSession : [{Public IP of my remote server}] Connecting to remote server
{Public IP of my remote server} failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting
Help topic.
At C:\Scripts\Test.ps1:24 char:12
+ $Session = New-PSSession -Computer $target -Authentication Credssp -C ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
The "about_Remote_Troubleshooting" seems to be referring to this post which I've tried to follow along, but without luck.
I have a scripting server (Server A) that I'm trying to have manage a remote DC with a different hosting company.
DISCLAIMER: Since I've been failing miserably so far, I'm trying to set my configuration to be as wide-open as possible (AKA: temporarily unsecure), so that I can just see it working and then work backwards, tightening my security - as much as I can given that I'm being tasked with CredSSP in the first place... Also, I'm way over my head in this and very new to Powershell. With that in mind...
Configuration I've done on Server A:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting
Set-ExecutionPolicy Unrestricted
Enable-WSManCredSSP –Role Client –DelegateComputer *
Configuration I've done on Server B:
Enable-PSRemoting
Enable-WSManCredSSP –Role Server
And for kicks, on both machines, I've run gpedit and went under Local Computer Policy → Computer Configuration → Administrative Templates → System → Credentials Delegation... enabled "Allow delegating fresh credentials" and "Allow delegating fresh credentials with NTLM-only server authentication" and added * and wsman/* to the servers list (and a few other possible combinations of IP or computer names for good measure).
So, I can send remote commands to Server B without CredSSP:
This works:
$cred = New-Object System.Management.Automation.PSCredential $username, $securePassword
Invoke-Command -ComputerName $target -Credential $cred -ScriptBlock {
Write-Host $env:computername | Select-Object
}
(Outputs name of Server B)
But if I pass that same $cred into a New-PSSession with CredSSP, that is where the error above occurs.
$Session = New-PSSession -Computer $target -Authentication Credssp -Credential $cred
Server A is able to use CredSSP with a different Domain Controller (in the same network/hosting company). Every article I've gone through seems to lead me to believe that what I've done should work in both cases... What am I missing?
When running the below code, i can put anything in the block at the bottom - I'm trying to copy a folder across to run an exe from a local folder and perform an install of that exe during the remote session to remote machines. I am getting Access Denied Errors. I read, i cant use the Kerberos Delegation Cmdlets which are only for a forest level of 2012 and above. Current Site has Domain Functional Level 2008 R2. Is there another way to achieve copying the files across during each remote session to the computers specified in the text file?
Thanks in advance
########################################
$Cred = Get-Credential DOMAIN\USER
$Computers = Get-Content C:\tab.txt | Where-Object { $_ }
ForEach ($Computer in $Computers)
# {
# if (Test-Connection -ComputerName $Computer -BufferSize 16 -Count 1 `
-Quiet)
{
# Creates a new remote PowerShell Session and script block - enter
the code you want to execute remotely from this block
$Session = New-PSSession $computer -Credential $cred
Invoke-Command -Session $Session -ScriptBlock {
Copy-Item -Path "\\print-server\pcclient\win\*" -Destination
"c:\pcclient" -Force -Recurse -Verbose
# Start-Sleep -s 10
# Start-Process "\\Print-Server\PCClient\win\client-local-install.exe" -ArgumentList "/SILENT"
}
}
Remove-PSSession -Session $Session
# }
This is because you're on a remote machine, trying to access another network resource. When you connect to the remote machine in PowerShell, you're effectively connected/authenticated to that machine only, (unless you specify otherwise) it doesn't have access to your credentials to access the network share, so the connection to the network share is treated as unauthenticated, hence the failure.
This article https://blogs.technet.microsoft.com/heyscriptingguy/2012/11/14/enable-powershell-second-hop-functionality-with-credssp/ covers it well, essentially in you will need to run this locally (to allow your machine to pass credentials):
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
On the server run (to allow the server to accept these credentials):
Enable-WSManCredSSP -Role Server –Force
And update your New-PSSession command to:
$Session = New-PSSession $computer -Credential $cred -Authentication CredSSP
If you want, you can share your credentials with only specific machines, or subsets of a domain using *.yourdomain.lan or whatever, if you connect to multiple machines, then it's easier to use -DelegateComputer *.
"Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090304 occurred while using Negotiate authentication: An unknown security error occurred."
I'm attempting to run scripts remotely to non-domain servers and the clients are also not part of a domain since our environment is based on MicroFocus eDirectory.
I've configured/tried the following on both client AND server:
winrm quickconfig
WinRM set winrm/config/client #{TrustedHosts="*"}
Set-item wsman:localhost\client\trustedhosts -value *
And again, none of the machines are part of a domain but I assumed it would work with trustedhosts.
Code attempting to authenticate looks like this:
[xml]$windows=(Get-Content P:\script\windows.xml)
$windows.servers.host | ForEach-Object {
$password = ConvertTo-SecureString $_.pass -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$_.name+$_.user",$password
Invoke-Command -ComputerName $_.name -Credential $credential -ScriptBlock {Get-Culture}
}
Your problem is in the formatting of the username. "$.name+$.user" will evaluate to a string with a + in the middle of it since the quotes are wrapped around both elements. correct way to write it would be "$($_.name)$($_.user)" or more likely if the source file does not place a trailing '\' on the name field
"$($_.name)\$($_.user)"
Im trying to run the following
$secpasswd = 'Test'
$secpasswd = ConvertTo-SecureString $secpasswd -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('domain2\nick', $secpasswd)
[scriptblock]$CheckDNS = {
Get-DnsServerResourceRecord -Name 'computername' -ZoneName domain2.local -ComputerName domain2dC.domain2.local }
invoke-command -scriptblock $CheckDNS -Credential $mycreds -ComputerName domain2managementbox.domain2.local
This should be running Get-DnsServerResourceRecord module on the target machine however im getting the following error:
Failed to get the zone information for domain2.local on server domain2managementbox.domain2.local.
+ CategoryInfo : PermissionDenied: (dgtest.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
When I run the command on the box itself it works fine and I have the correct permissions.
Thanks
You're attempting to "double hop" with your credentials (from your client machine, to "domain2managementbox.domain2.local" and then again to "domain2dC.domain2.local". This is not permitted using the default kerberos authentication.
Run Enable-WSManCredSSP -Role Client -DelegateComputer domain2managementbox.domain2.local -Force on your client machine.
Run on Enable-WSMaCredSSP -Role Server –Force on "domain2managementbox.domain2.local"
... and then use -CredSSP as an additional authentication parameter for Invoke-Command.