Powershell remoting - Policy does not allow the delegation of user credentials
Do the following on the server:
Enable-WSManCredSSP -Role Server
Do the following on the client:
set-item wsman:localhost\client\trustedhosts -value *Enable-WSManCredSSP -Role Client –DelegateComputer *
Use gpedit.msc
on the client to enable Delegating Fresh Credentials to WSMAN/*:
- Expand
Local Computer Policy
, expandComputer Configuration
, expandAdministrative Templates
, expandSystem
, and then clickCredential Delegation
. - In the
Settings
pane, double-clickAllow Delegating Fresh Credentials with NTLM-only Server Authentication
. - In the
Allow Delegating Fresh Credentials with NTLM-only Server Authentication
dialog box, do the following: - Click
Enabled
. - In the
Options
area, clickShow
. - In Value, type
WSMAN/*
, and then clickOK
. Make sure thatConcatenate OS defaults with input above
is selected, and thenclickOK
.
The following command now works (after a password prompt):
Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
See MSDN forums.
See TechNet
I finally got it to work thanks to this page. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:
Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com$allowed = @('WSMAN/*.mydomain.com')$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'if (!(Test-Path $key)) { md $key}New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force $key = Join-Path $key 'AllowFreshCredentials'if (!(Test-Path $key)) { md $key}$i = 1$allowed |% { # Script does not take into account existing entries in this key New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force $i++}
Expanding upon Akira's answer above, in gpedit.msc I had to set "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" rather than "Allow Delegating Fresh Credentials".