Powershell remoting - Policy does not allow the delegation of user credentials Powershell remoting - Policy does not allow the delegation of user credentials powershell powershell

Powershell remoting - Policy does not allow the delegation of user credentials


powershell powershell-remoting winrm

Do the following on the server:

Enable-WSManCredSSP -Role Server

Do the following on the client:

set-item wsman:localhost\client\trustedhosts -value *Enable-WSManCredSSP -Role Client –DelegateComputer *

Use gpedit.msc on the client to enable Delegating Fresh Credentials to WSMAN/*:

  1. Expand Local Computer Policy, expand Computer Configuration, expandAdministrative Templates, expand System, and then click Credential Delegation.
  2. In the Settings pane, double-click Allow Delegating Fresh Credentials with NTLM-only Server Authentication.
  3. In the Allow Delegating Fresh Credentials with NTLM-only Server Authentication dialog box, do the following:
  4. Click Enabled.
  5. In the Options area, click Show.
  6. In Value, type WSMAN/*, and then click OK. Make sure thatConcatenate OS defaults with input above is selected, and thenclick OK.

The following command now works (after a password prompt):

Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user

See MSDN forums.

See TechNet

powershell powershell-remoting winrm

I finally got it to work thanks to this page. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:

Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com$allowed = @('WSMAN/*.mydomain.com')$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'if (!(Test-Path $key)) {    md $key}New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force            $key = Join-Path $key 'AllowFreshCredentials'if (!(Test-Path $key)) {    md $key}$i = 1$allowed |% {    # Script does not take into account existing entries in this key    New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force    $i++}

powershell powershell-remoting winrm

Expanding upon Akira's answer above, in gpedit.msc I had to set "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" rather than "Allow Delegating Fresh Credentials".

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last