CredSSP for second-hop remoting

PowerShell Team

PowerShell Team

PS C:\> $r = New-PSSession
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}
Enter password:
Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
At line:1 char:4
+ icm <<<<  $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx}

l am trying to run Get-PfxCertificate in a remote runspace, but why does it fail? What is delegation?

PowerShell remoting supports a new authentication mechanism called CredSSP.  “CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP).”   See the following link for more info:  Here is a link to the CredSSP protocol specification:

To enable client-side SSP for winrm, run the following lines:
Enable-WSManCredSSP -Role client -DelegateComputer *

To enable server-side SSP for winrm:
Enable-WSManCredSSP -Role server

Now let’s try the same scenario with a remote runspace created with CredSSP authentication.

PS C:\> $r = New-PSSession Fully.Qualified.Domain.Name -Auth CredSSP -cred domain\user
PS C:\> icm $r {Get-PfxCertificate c:\monad\TestpfxFile.pfx} | fl
Subject      : CN=Hula Monkey, OU=checkins, OU=monad
Issuer       : CN=Hula Monkey, OU=checkins, OU=monad
Thumbprint   : 613F82CEAF98C2457BD140AF3FBF7045FFFBAC90
FriendlyName :
NotBefore    : 7/7/2004 4:15:37 PM
NotAfter     : 12/31/2039 3:59:59 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
ComputerName : Fully.Qualified.Domain.Name
PS C:\> icm $r {$s=new-pssession}
PS C:\> icm $r {icm $s {whoami}}
PS C:\>

Get-PfxCertificate now works in the remote runspace! I can also open another remote runspace inside the remote runspace, or access a network share inside the remote runspace. Enjoy!

To disable client-side SSP for winrm:
Disable-WSManCredSSP -Role client

To disable server-side SSP for winrm:
Disable-WSManCredSSP -Role server

Wei Wu [MSFT]
Visit the Windows PowerShell Team blog at:
Visit the Windows PowerShell ScriptCenter at:

PowerShell Team
PowerShell Team

Follow PowerShell Team   

No Comments.