Powershell CREDSSP Problems

Question

I am trying to use CREDSSP on a New Server (Server C)

I have successfully setup credssp on Two Other Servers. (Server A to Server B)

I am now trying to connect from Server A to Server C using CREDSSP, but no matter what I do, I get the following error:

[SERVER_C.domain.edu] Connecting to remote server SERVER_C.domain.edu failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (SERVER_C.domain.edu:String) [], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

This is my query that works perfectly from Server A to Server B:

# Setting the Credentials to be used to sign into the Server B. 
    $pass = ConvertTo-SecureString "Password" -asplaintext -force
    $mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue. Other steps setup on each computer had to be completed before Credssp would work
   Invoke-Command -ComputerName SERVER_B.domain.edu -command { C:\helloWorld.ps1 } -Authentication Credssp  -Credential $mycred

I have double checked everything I can think of between Server C (New Server) and Server B (Old Server) and I cant find any reason why im getting the error.

I know that if I take out the CREDSSP part, The script works, except where a double hop is involved. So the Server is definitely connecting.

I made sure to run the following commands:

Enable-psremoting

Set-ExecutionPolicy -Scope localMachine -ExecutionPolicy RemoteSigned

Enable-WSManCredSSP -Role Client -DelegateComputer '*.reskit.org' –Force 
Enable-WSManCredSSP -Role Server –Force

wsman

Also followed these steps: Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.

And as I mentioned, I know Server A is setup correctly, because I run the script above to Server B without issue.

Any suggestions would really be appreciated.

The only thought I have is that Server A and B are running Powershell 3 and Server C is running Powershell 5

Answer 1

I notice that the Enable-WSManCredSSP -Role Client command uses *.reskit.org instead of *.domain.eu.(?)

To me it's not completely clear which commands were run at the server or at the client, but look OK at first sight. I recently configured credssp also to solve the double hop problem, as follows:

On the server:

Enable-WSManCredSSP -Role Server -Force

Get-WSManCredSSP shows: The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.

On the client:

winrm quickconfig
Enable-WSManCredSSP -role client *.mydomain.com

Get-WSMancredSSP shows: The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.mydomain.com. This computer is not configured to receive credentials from a remote client computer.

My clientside script starts an explicit remote session via:

$session = New-PSSession -Computer $computerName -Credential $credential -Authentication Credssp