NTLM or Kerberos - PS Remoting

Hi Team,

A small doubt. I’m currently working in multi forest environment where some forests have trust and some not. I am able to use psremoting within trusted forest without any changes. And also able to do psremoting to untrusted forest using trusted host entry at wsman configuration.

Now I’m bit confused with the authentication mechanism as mentioned in the title. Who is working for untrusted forest authentication, Kerberos or NTLM?

Please help me by clearing the doubt, also if NTLM is the answer then is there any way to change it to Kerberos?

Thanks in Advance.


Hi Sankhadip,

Maybe this could help:


Have you checked out/familiar with Secrets of PowerShell Remoting?

This article may help. https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6

Good reference Aaron. Thanks.

As per Don, did he mean that using trusted host, Kerberos will work (Look at bold statement below.)?

Kerberos can only be used within trusted domains. Across non-trusted domains... nope. That's why it was using NTLM. And, in order for that to work, you either have to connect via HTTPS or put the target machine in the initiating machine's TrustedHosts list. Either way, you must also specify -Credential.


His comment on Kerberos was well-put. Once you go beyond the boundary of where Kerberos can manage authentication (into the untrusted domain), NTLM has to handle authentication because you can’t pass Kerberos session tickets to an untrusted destination.

Here’s another reference: https://stackoverflow.com/questions/9691643/kerberos-delegation-across-2-untrusted-domains-using-wcf

By adding the ‘untrusted’ host to the TrustedHosts list on the computer you’re remoting from, you’re allowing the connection but it will be over NTLM.

Thanks a lot Aaron. Now clear… :+1: