StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCredSSP PowerShell Session fails when using Kerberos for machine authentication
primarykey
Id
11800816
data
AcceptedAnswerId
12428893
AnswerCount
1
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2012-08-03T17:52:05.013
FavoriteCount
2
LastActivityDate
2012-09-14T16:58:16.327
LastEditDate
LastEditorUserId
0
OwnerUserId
1574759
ParentId
0
PostTypeId
1
Score
3
ViewCount
1737
LastEditorDisplayName
text
Body
We are attempting to use CredSSP authentication for <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ee309365.aspx" rel="nofollow">multi-hop PowerShell remoting</a>, and one of our clients is running into a snag that prevents them from creating PSSessions using CredSSP when specifying the FQDN of the target server. Both server and client are joined to the same domain, and there's nothing fancy going on with disjoint namespaces. In the course of debugging, we've opened up all of the related security options we can think of; in specific: <ul> <li>We've enabled the GP settings to Allow Delegating Fresh Credentials (standard and 'With NTLM only') with the wildcard SPN wsman/*</li> <li>We've enabled the WSMan Trusted Hosts setting with *.domain.com</li> <li>We've (of course) enabled WSMan for CredSSP on the server and the client</li> <li>We've set the LocalAccountTokenFilterPolicy on the server</li> </ul> With all those settings opened up, here's what we get when trying different authentication methods for PSSessions: <ul> <li>Using Kerberos for delegation with explicit domain credentials works fine.</li> <li>Using Negotiate for delegation with explicit domain credentials works fine.</li> <li>Using CredSSP for delegation: <ul> <li>Using domain credentials, connecting to the FQDN of the server, fails with the error <a href="http://msdn.microsoft.com/en-us/library/ms838310.aspx" rel="nofollow">There are currently no logon servers available to service the logon request</a></li> <li>Using domain credentials, connecting to just the hostname of the server, fails with the same error</li> <li>Using credentials for a local account on the server (thus forcing NTLM for server identity verification, I believe), connecting to the FQDN of the server, works fine</li> <li>Using domain credentials, connecting to the IP address of the server (thus forcing NTLM for server identity verification), works fine</li> </ul></li> </ul> So, in short, CredSSP works as long as we're using NTLM for server authentication and fails when we use Kerberos, but Kerberos definitely works fine if we're using Kerberos for delegation as well. How is that possible, and what can we do to make it so that CredSSP+Kerberos works?
Tags
<powershell><kerberos><powershell-remoting>
Title
CredSSP PowerShell Session fails when using Kerberos for machine authentication
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USJamie Macia
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POCredSSP PowerShell Session fails when using Kerberos for machine authentication
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POCredSSP PowerShell Session fails when using Kerberos for machine authentication
 UserUserId
 USbahrep
 VoteTypeVoteTypeId
 VTFavorite
3. VO
 singulars
 PostPostId
 POCredSSP PowerShell Session fails when using Kerberos for machine authentication
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COany solution about it ?
 singulars
 PostPostId
 POCredSSP PowerShell Session fails when using Kerberos for machine authentication
 UserUserId
 USKiquenet

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.