I went through WinRM-Certificate-Authentication document By Dave but unable to implement in a Workgroup environment.
Goal:-
500+ Workgroup clients need to be managed via PS. I have enabled the PS Remoting and so far it’s working like charm. Due to increase security thread and ransomware attack, we are frequently changing the local admin account password which is common across the board. I thought of moving the PS Remoting on HTTPS instead of HTTP and use Certificate authentication mode to stop transmitting password on a wire. In this way, I thought I can use single Mangement Server to connect to 500+ Workgroup system over HTTPS using Certificate Authentication. We do have SCCM in our environment but it only works on PS 3.0+ hence have to depend on PS.
Configuration:-
I Do have Active Directory CA and I use below code to get the certificate using PS from Workgroup System.
[pre]
$Username = ‘Domain\User’
$Password = ‘Password’
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
$certSubject = “CN=$ENV:COMPUTERNAME”
$Cert = Get-Certificate -Template WinRM -Credential $Cred -SubjectName $certSubject -Url https://CA.Contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP -CertStoreLocation cert:\LocalMachine\My -DnsName $ENV:COMPUTERNAME
[/pre]
Once I Obtain the Cert I use that cert to configure WinRM Listener.
[pre]
$thumbprint=(Get-ChildItem -Path Cert:\LocalMachine\my\ | Where-Object {$_.Subject -like “$certSubject”}).Thumbprint
$WinrmCreate= “winrm create --% winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`”$ENV:COMPUTERNAME`";CertificateThumbprint=`"$thumbprint`"}"
invoke-expression $WinrmCreate
[/pre]
The post above config I can run below command successfully which gives me an indication that WinRM HTTPs listener is working fine.
Invoke-Command -ScriptBlock $SB -ComputerName $COMP -Credential $RCred -Port 5986 -UseSSL
Now I below command on Workgroup system to configure the mapping. $CARoot is Thumbprint of RootCA which is in LocalMachine\Root and the commands execute successfully.
[pre]
New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Cred1 -URI * -Subject * -Issuer $CARoot -Force -Confirm:$false
[/pre]
Challenge:-
-
Not sure which thumbprint should I use when I run invoke-command from Management System.
-
In Mapping, we have to use a local account. What happens if that account is deleted or the password of that account is changed.
-
Post configuring the WinRM over HTTPS If I use the IP address in computer name it fails with cert error. Since its difficult to track the exact computer and easy to work with IP can we use a wildcard in WinRM HTTPS listener.
Ex. If we can use *.contoso.com then we can use 10-10-10-1.contoso.com as computer name where computer IP will be 10.10.10.1.