Remoting with CredSSP to non-trust domain

Hello,

I have been successful at getting PS Remoting to work between untrusted domains, Yaay!! However, I can’t figure out how to enable CredSSP.
CredSSP is working great for me within the same domain.
I’ve created an SSL endpoint on the target server, but still cannot connect, as per below:
I have every WinRM trust setting imaginable set to WSMAN/*.lab.testing.com, on the client machine.

Works:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication Default -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

Fails:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication credssp -Credential $credentials -SessionOption $sessOption -ComputerName srv004.lab.testing.com

Error:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’ Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.

Fails:
New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL

Error:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.

Fails:
$sessOption = New-PSSessionOption -SkipRevocationCheck
New-PSSession -Authentication credssp -Credential $credentials -ComputerName chelwebvci004.cctlab.expecn.com -UseSSL -SessionOption $sessOption

Any help is appreciated, thanks!

Well, the error message seems pretty clear. I know I’m going to sound like a jerk. But, what it wants is a trusted certificate on the server that you were trying to connect to. Because it doesn’t have Kerberos to verify the identity. or am I not getting your question in my head? If not, sorry - try again, it’s been a day!

Doh!

I had tried that command before, but this was my usage:
winrm set winrm/config/service @{CertificateThumbprint=“”}

Looks like after re-reading the error message I was missing the single quotest around the @
winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’

Now I have set this on the target server and my client

When connection I got:

New-PSSession : Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client received an HTTP server error
status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.

I just gave Everyone read access to the cert, and here is the winrm configuration.

Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source=“GPO”]
IPv6Filter = * [Source=“GPO”]
EnableCompatibilityHttpListener = true [Source=“GPO”]
EnableCompatibilityHttpsListener = false
CertificateThumbprint = 9267198CA389DCC3C96582742D406A96792E8CEA
AllowRemoteAccess = true [Source=“GPO”]

However, now I’m back to:
New-PSSession : [srv004.lab.testing.com] Connecting to remote server srv004.lab.testing.com failed with the following error message : The WinRM client cannot process the request. A
computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure
the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service ‘@{CertificateThumbprint=“”}’ Or you can check the Event Viewer for an event
that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot
use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following
policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and
configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or
WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:13

Have you checked that Group Policy setting that you bolded in the original post? (I assume so; just checking.)

Thanks Dave:

oh. frustrating. I had it set with:
WSMAN/*.lab.testing.com

and it wasn’t working,

I set it to:
WSMAN/*

and now it works.

WTH! Why doesn’t the wildcard work? For the -computername argument, I’m always using the FQDN.