Problem with certbased authentication at powershell remoting


I’m looking for some help at a problem to manage a couple of servers outside of our domain with powershell remoting.

I followed the guide “Secrets of PowerShell Remoting” and configured a https-listener and the listener works.

I can establish a connection via SSL with a local user:

PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -Credential "HBGERPV001\fct_psr_Admin" -UseSSL
PS C:\Users\adm_cbrumm\Documents> Enter-PSSession -Session $session
[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents>

Then I created an user-cert and imported it in the Trusted People Store:

[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\TrustedPeople

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople

Thumbprint                                Subject
----------                                -------
D77AC0C0E6AC433ADB822C7E82663638B730552C  CN=psr_Admin Function, OU=QSC, OU=FCT, OU=ACCOUNTS, OU=CENTRAL, DC=***...

and I imported the cert of the issuing-ca:

[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-ChildItem Cert:\LocalMachine\CA | where { $_.Subject -match 'PKP'}

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA

Thumbprint                                Subject
----------                                -------
557A8CE0C284DDE39CB0B6724B07B0C0D83EE086  CN=***-***-CA, DC=***, DC=LAN

And enabled Certbased Auth:

[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> get-item -path WSMan:\localhost\Service\Auth\Certificate

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   Certificate                                    true

I created a mapping (the wildcard in subject came in while debugging):

[server.fqdn]: PS C:\Users\fct_psr_ADMIN\Documents> Get-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_479242521 | fl *

PSPath            : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_479242521
PSParentPath      : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate
PSChildName       : ClientCertificate_479242521
PSDrive           : WSMan
PSProvider        : Microsoft.WSMan.Management\WSMan
PSIsContainer     : True
Keys              : {URI=*, Issuer=557A8CE0C284DDE39CB0B6724B07B0C0D83EE086, Subject=*}
Name              : ClientCertificate_479242521
TypeNameOfElement : Container
Type              : Container

and tried to connect …

PS C:\Users\adm_cbrumm\Documents> $session = New-PSSession -ComputerName server.fqdn -CertificateThumbprint D77AC0C0E6AC433ADB822C7E82663638B730552C
New-PSSession : [server.fqdn] Connecting to remote server server.fqdn failed
with the following error message : The WinRM client cannot process the request. The destination computer
(server.fqdn:5986) returned an 'access denied' error. Specify one of the authentication
mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination
computer are joined to a domain. Possible authentication mechanisms reported by server:     Negotiate Kerberos
ClientCerts For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ComputerName server.fqdn -Certifi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

After a whole day of controlling every step I have no idea what to do next …

Thanks for your help!

From what I can see here, it looks like you’re doing things correctly. Just to double check, please run the following commands and let me know their output:

# On server.fqdn:

(Get-Item Cert:\LocalMachine\TrustedPeople\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey

# On the client computer:

(Get-Item Cert:\CurrentUser\My\D77AC0C0E6AC433ADB822C7E82663638B730552C).HasPrivateKey

If all is set up properly, you should get a result of $false on the server and $true on the client computer. (Neither command should produce an error.)

Also, when you created the mapping, you did enter the credentials of a local account on server.fqdn which has Administrator rights, correct? You can’t use a domain account with certificate authentication.

Hi Dave,

thanks for your response.

I checked the private keys and got false on the server and a true on the client.
For the mapping I tested two local admin accounts (a fresh one and the buildin).

I’m not sure what’s going wrong, then. Since it’s an Access Denied error, I would start by checking the Security event log. The PowerShell event logs may also have something useful.

What operating systems and PowerShell versions are you using for the client and server? If I have some time, I’ll try spinning up a new test environment to see if I can reproduce the problem.

Hi Dave,

I think my problem is solved … I have no idea why but now it works …
For a deeper look I just enabled more logging (described here: ITPro Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More) started a trace and it works …

Are there any caches involved? Maybe the Thumbprint check of the issuing CA?

I will go on rolling out that config on the other machines and see if it happens again.

Thanks for your help!

This is a very strange behaviour … we reproduced it on two additional machines and it takes a couple of hours to work.
We can handle this but we are really interrested in the reason … any ideas?

Are you generating new certificates at the time you reproduce the problem? Maybe you’ve got something quirky happening like the certificate’s NotBefore value is set for 2-3 hours in the future (perhaps due to confusion over time zones in the cert request, or something along those lines.) Or, does the account that the certificate maps to have any logon time restrictions?

I’m kind of grasping at straws here. Off the top of my head, I can’t think of any other reason a certificate auth might give you “Access Denied”, then suddenly start working with no change on your part.

Hi Dave,

fortunately we have some more server to configure … so we could test a lot in the last days.

Our Problem was the following:

  • We are using a two-tiered PKI and the usercert for authentication is issued by the issuing CA.
    At the initial configuration we had only imported the cert of the issuing CA in cert:\localmachine\CA but it seems to be necessary that the root cert is imported too.
  • If the root cert is not present the server sends an access denied and caches it - so the root cert has to be imported before the first connection attempt.

I’ve attached the script we are now using to connect our standalone systems to the central scripting host. (some more comments would be great i know …)
Maybe this is helpful for anybody.

Thanks for your help