Difference between revisions of "Login AM Tips Tricks Setup WinRM CredSSP"

From Login VSI Documentation
Jump to: navigation, search
(Client configuration)
Line 8: Line 8:
  
 
The client configuration needs to be configured on the machine from where you wish to run the Login AM User Interface, this typically is the server where you installed Login AM.  
 
The client configuration needs to be configured on the machine from where you wish to run the Login AM User Interface, this typically is the server where you installed Login AM.  
 
  
 
To enable client-side CredSSP to allow user credential delegation to all computers in the domain, run the command:
 
To enable client-side CredSSP to allow user credential delegation to all computers in the domain, run the command:

Revision as of 14:47, 6 September 2016

Login AM uses WinRM in combination with CredSSP authentication for exexcuting the dashboard commands that need to be run on a remote computer. For detailed instruction on how to enable WinRM on your systems, see this link.

PowerShell remoting supports an authentication mechanism called CredSSP. CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). See this link for more infoCredSSP protocol specification

Enable from PowerShell

Client configuration

The client configuration needs to be configured on the machine from where you wish to run the Login AM User Interface, this typically is the server where you installed Login AM.

To enable client-side CredSSP to allow user credential delegation to all computers in the domain, run the command:

Enable-WSManCredSSP -Role client -DelegateComputer *

Server configuration

The server configuration needs to be configured on the servers/machines where you wish to connect to.

To enable the server to accept delegated credentials:

Enable-WSManCredSSP -Role server

HINT: Use -Force parameter for Enable-WSManCredSSP to suppress the Y/N question on the prompt

Enabling 'WinRM & CredSSP' using group policy (GPO)

To enable client-side CredSSP to allow user credential delegation for WinRM for all computers in the domain.local domain, set the following policy values:

  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled

To enable the server to accept delegated credentials, set the following policy value:

  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow CredSSP authentication → Set to enabled

To enable the CredSSP and the PowerShell execution policy to "Bypass" you can follow this example. The CredSSP is set while using the Computer Configuration Policies and the PoSh execution policy is set using the Computer Configuration Preferences.

Login AM Setup WinRM And CredSSP 01.png

To enable CredSSP in workgroup mode

If you want to enable CredSSP in workgroup mode, you need to set the following policy values

  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials with NTLM-only server authentication → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
  • Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled

When running into trouble...

To check whether the CredSSP and WinRM is working correctly? You can test this manually by starting powershell on the Login AM server and enter the following command:

First check the port on which the WinRM has been configured:

get-item wsman:\localhost\listener\listener*\port | Select-Object value

The result could be the default port 5985

From here you can check by starting a command on the remotecomputername based on the port number we found out earlier.

winrs -r:http://remotecomputername:5985 "echo %computername%"

This should return the value of the computername variable from the remote machine

When the above-mentioned isn't working in your scenario you might need to restore or/and restart the WinRM service configuration. The undermentioned methods could resolve the problem.

winrm quickconfig -quiet

Or you can do it the radical way.

# Disable/revoke winrm/remoting
Start-Service winrm
winrm invoke restore winrm/config
Disable-PSRemoting -Force
Disable-WSManCredSSP -Role Client
Disable-WSManCredSSP -Role Server
Stop-Service winrm
# Enable remoting
Enable-PSRemoting -Force
Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force
winrm enumerate winrm/config/listener

When trying to connect from a 64-bit machine to a 32-bit machine you can use the following commandlet on the 32-bit machine

Enable-PSRemoting -Force