Login AM Tips Tricks Setup WinRM CredSSP

From Login VSI Documentation
Jump to: navigation, search

Login AM uses WinRM in combination with CredSSP authentication for executing the dashboard commands that need to be run on a remote computer. For detailed instruction on how to enable WinRM on your systems, see below.

PowerShell remoting supports an authentication mechanism called CredSSP. CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). See this page for more infoCredSSP protocol specification.

Enable from PowerShell

Client configuration

The client configuration needs to be configured on the machine from where you wish to run the Login AM User Interface, this is typically the server where you installed Login AM.

To enable client-side CredSSP to allow user credential delegation to all computers in the domain, run the command:

Enable-WSManCredSSP -Role client -DelegateComputer *

Server configuration

The server configuration needs to be configured on the servers/machines you wish to connect to.

To enable the server to accept delegated credentials:

Enable-WSManCredSSP -Role server

Hint: Use -Force parameter for Enable-WSManCredSSP to suppress the Y/N question on the prompt.

Enabling 'WinRM & CredSSP' using group policy (GPO)

To enable client-side CredSSP to allow user credential delegation for WinRM for all computers in the domain.local domain, set the following policy values:

  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled

To enable the server to accept delegated credentials, set the following policy value:

  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow CredSSP authentication → Set to enabled

To enable the CredSSP and the PowerShell execution policy to "Bypass" you can follow this example. The CredSSP is set while using the Computer Configuration Policies and the PoSh execution policy is set using the Computer Configuration Preferences.

Login AM Setup WinRM And CredSSP 01.png

To enable CredSSP in workgroup mode

If you want to enable CredSSP in workgroup mode, you need to set the following policy values:

  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials with NTLM-only server authentication → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled

When running into trouble...

To check whether the CredSSP and WinRM is working correctly, you can test this manually by starting PowerShell on the Login AM server and entering the following command:

First check the port on which the WinRM has been configured:

get-item wsman:\localhost\listener\listener*\port | Select-Object value

The result could be the default port 5985.

From here you can check by starting a command on the remote computername based on the port number we found out earlier.

winrs -r:http://remotecomputername:5985 "echo %computername%"

This should return the value of the computername variable from the remote machine.

When the above-mentioned isn't working in your scenario, you might need to restore and/or restart the WinRM service configuration. The undermentioned methods could resolve the problem.

winrm quickconfig -quiet

Or you can do it the radical way:

# Disable/revoke winrm/remoting
Start-Service winrm
winrm invoke restore winrm/config
Disable-PSRemoting -Force
Disable-WSManCredSSP -Role Client
Disable-WSManCredSSP -Role Server
Stop-Service winrm
# Enable remoting
Enable-PSRemoting -Force
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force
winrm enumerate winrm/config/listener

When trying to connect from a 64-bit machine to a 32-bit machine, you can use the following commandlet on the 32-bit machine:

Enable-PSRemoting -Force