I have been successful at getting PS Remoting to work between untrusted domains, Yaay!! However, I can’t figure out how to enable CredSSP.
CredSSP is working great for me within the same domain.
I’ve created an SSL endpoint on the target server, but still cannot connect, as per below:
I have every WinRM trust setting imaginable set to WSMAN/*.lab.testing.com, on the client machine.
Error:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’ Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.
Well, the error message seems pretty clear. I know I’m going to sound like a jerk. But, what it wants is a trusted certificate on the server that you were trying to connect to. Because it doesn’t have Kerberos to verify the identity. or am I not getting your question in my head? If not, sorry - try again, it’s been a day!
I had tried that command before, but this was my usage:
winrm set winrm/config/service @{CertificateThumbprint=“”}
Looks like after re-reading the error message I was missing the single quotest around the @
winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’
Now I have set this on the target server and my client
When connection I got:
New-PSSession : Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client received an HTTP server error
status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.
I just gave Everyone read access to the cert, and here is the winrm configuration.
However, now I’m back to:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’ Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:13