{"id":6021,"date":"2008-06-05T11:13:00","date_gmt":"2008-06-05T11:13:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2008\/06\/05\/credssp-for-second-hop-remoting\/"},"modified":"2019-02-18T13:15:51","modified_gmt":"2019-02-18T20:15:51","slug":"credssp-for-second-hop-remoting","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/credssp-for-second-hop-remoting\/","title":{"rendered":"CredSSP for second-hop remoting"},"content":{"rendered":"

PS C:\\> $r = New-PSSession
PS C:\\> icm $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx}
Enter password:
<\/font>Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
At line:1 char:4
+ icm <<<<  <\/span>$r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx}<\/font><\/span><\/span><\/p>\n

l am trying to run Get-PfxCertificate in a remote runspace, but why does it fail? What is delegation?<\/p>\n

PowerShell remoting supports a new authentication mechanism called CredSSP.  “CredSSP enables an application to delegate the user\u2019s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP).”   See the following link for more info: http:\/\/blogs.msdn.com\/windowsvistasecurity\/archive\/2006\/08\/25\/724271.aspx<\/a>  Here is a link to the CredSSP protocol specification: http:\/\/download.microsoft.com\/download\/9\/5\/E\/95EF66AF-9026-4BB0-A41D-A4F81802D92C\/%5BMS-CSSP%5D.pdf<\/a><\/p>\n

To enable client-side SSP for winrm, run the following lines:
Enable-WSManCredSSP -Role client -DelegateComputer *<\/p>\n

To enable server-side SSP for winrm:
Enable-WSManCredSSP -Role server<\/p>\n

Now let’s try the same scenario with a remote runspace created with CredSSP authentication.<\/p>\n

PS C:\\> $r = New-PSSession Fully.Qualified.Domain.Name -Auth CredSSP -cred domain\\user
PS C:\\> icm $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx} | fl
<\/font><\/span>Subject      <\/span>: CN=Hula Monkey, OU=checkins, OU=monad
Issuer       <\/span>: CN=Hula Monkey, OU=checkins, OU=monad
<\/font><\/span>Thumbprint   <\/span>: 613F82CEAF98C2457BD140AF3FBF7045FFFBAC90
FriendlyName :
NotBefore    <\/span>: 7\/7\/2004 4:15:37 PM
NotAfter     <\/span>: 12\/31\/2039 3:59:59 PM
Extensions   <\/span>: {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
ComputerName : Fully.Qualified.Domain.Name
PS C:\\> icm $r {$s=new-pssession}
PS C:\\> icm $r {icm $s {whoami}}
domain\\user
PS C:\\><\/font><\/span><\/span><\/p>\n

Get-PfxCertificate now works in the remote runspace! I can also open another remote runspace inside the remote runspace, or access a network share inside the remote runspace. Enjoy!<\/p>\n

To disable client-side SSP for winrm:
Disable-WSManCredSSP -Role client<\/p>\n

To disable server-side SSP for winrm:
Disable-WSManCredSSP -Role server<\/p>\n

Wei Wu [MSFT]
Visit the Windows PowerShell Team blog at:    http:\/\/blogs.msdn.com\/PowerShell<\/font><\/strong><\/a>
Visit the Windows PowerShell ScriptCenter at:  http:\/\/www.microsoft.com\/technet\/scriptcenter\/hubs\/msh.mspx<\/font><\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

PS C:\\> $r = New-PSSessionPS C:\\> icm $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx}Enter password:Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.At line:1 char:4+ icm <<<<  $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx} l am trying to run Get-PfxCertificate in a remote runspace, but why […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[8],"class_list":["post-6021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-remoting"],"acf":[],"blog_post_summary":"

PS C:\\> $r = New-PSSessionPS C:\\> icm $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx}Enter password:Invoke-Command : The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.At line:1 char:4+ icm <<<<  $r {Get-PfxCertificate c:\\monad\\TestpfxFile.pfx} l am trying to run Get-PfxCertificate in a remote runspace, but why […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/6021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=6021"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/6021\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=6021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=6021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=6021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}