PowerShell Remoting / Certificate Auth / Changing Passwords

I’ve setup an image with PowerShell remoting enabled over https and using certificate auth, any machines deployed with this image will be in a workgroup. I assumed certificate auth would work similar in concept to ssh keys, so that a certificate would be bound to the user account regardless of the password. What I’ve found is that if I change the password after configuring certificate auth, I can no longer connect. The only way to fix this is the delete the wsman config for the client certificate and re-issue the command to bind the client cert with the new password.

Is there anyway around this?

You need to give some more detail on what you’re using the certificate for.

Is this an SSL certificate being used to secure the WS-MAN endpoint?

Or is the certificate being used to authenticate an incoming user, instead of relying on a password?

I suspect you’re referring to the latter. If that’s the case, I’m not aware of a workaround. The certificate store isn’t set up in a way that facilitates distributing certificates via a master image, in the way you seem to be describing.

Yes that’s correct, its the latter. The problem isn’t related to the image being a master, I originally saw the error after my final sysprep. I then tested without a sysprep, so assume a standard machine with powershell configured over https. Client auth certificate works fine, but as soon as I change the password on the administrator’s account, the one I used to bind the certificate, remote powershell stops working. Running the following lines fixes the issue, until the password is changed again:

$Username = ‘Administrator’
$adminPass = ConvertTo-SecureString ‘Mynewpassword1’ -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $adminPass
del wsman:\localhost\ClientCertificate\ClientCertificate_* -recurse
New-Item -Path WSMan:\localhost\ClientCertificate -Credential $Credentials -Subject admin@localhost -URI * -Issuer 415E12063261DCEF7724C98FF972C0ABABAB1212 -Force

Note: The ‘del wsman’ is from memory so may be a little off in the target path.