PS C:\> $r = New-PSSession
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}
Enter password:
Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
At line:1 char:4
+ icm <<<< $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}
l am trying to run Get-PfxCertificate in a remote runspace, but why does it fail? What is delegation?
PowerShell remoting supports a new authentication mechanism called CredSSP. “CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP).” See the following link for more info: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/25/724271.aspx Here is a link to the CredSSP protocol specification: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf
To enable client-side SSP for winrm, run the following lines:
Enable-WSManCredSSP -Role client -DelegateComputer *
To enable server-side SSP for winrm:
Enable-WSManCredSSP -Role server
Now let’s try the same scenario with a remote runspace created with CredSSP authentication.
PS C:\> $r = New-PSSession Fully.Qualified.Domain.Name -Auth CredSSP -cred domain\user
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx} | fl
Subject : CN=Hula Monkey, OU=checkins, OU=monad
Issuer : CN=Hula Monkey, OU=checkins, OU=monad
Thumbprint : 613F82CEAF98C2457BD140AF3FBF7045FFFBAC90
FriendlyName :
NotBefore : 7/7/2004 4:15:37 PM
NotAfter : 12/31/2039 3:59:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
ComputerName : Fully.Qualified.Domain.Name
PS C:\> icm $r {$s=new-pssession}
PS C:\> icm $r {icm $s {whoami}}
domain\user
PS C:\>
Get-PfxCertificate now works in the remote runspace! I can also open another remote runspace inside the remote runspace, or access a network share inside the remote runspace. Enjoy!
To disable client-side SSP for winrm:
Disable-WSManCredSSP -Role client
To disable server-side SSP for winrm:
Disable-WSManCredSSP -Role server
Wei Wu [MSFT]
Visit the Windows PowerShell Team blog at: http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx
0 comments