Passing user credentials to a remote computer

I needed to do a remote installation on a server of software that is located on a share. I wanted to achieve this through a PSSession (from my management server), but I ran into the problem that the share wasn’t accessible from the PSSession.

As explained in this Microsoft article, the Enable-WSManCredSSP cmdlet enables CredSSP authentication on a client or on a server computer. When CredSSP authentication is used, the user credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from another remote session. For example, if you want to run a background job on a remote computer, use this kind of authentication.

Enable-WSManCredSSP can enable CredSSP on a Client or a Server. To enable CredSSP on a client, specify Client in the Role parameter. Clients delegate explicit credentials to a server when server authentication is achieved. To enable CredSSP on a server, specify Server in the Role parameter. A server acts as a delegate for clients. For more details, see Role in the Parameters section.

As I found out, you need to enable it both on the client and the server. On the client (the server/workstation you want to make the connection from) you need to enable the client role (to be able to pass on the credentials to the remote machine). You can do this by running this command:

Enable-WSManCredSSP -Role Client -DelegateComputer *. -Force

On the server (the one where the remote credentials are needed to access the share), you need to enable the server role, which can be achieved by running this command:

Enable-WSManCredSSP -Role Server -Force

To check if CredSSP is enabled or not, you can run this command (and default you’ll get the result below the command; you need to run it elevated!).

Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is not configured to receive credentials from a remote client computer.

Once you’ve enabled it on the client, the same command gives you this result:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.
This computer is not configured to receive credentials from a remote client computer.

On the server side you’ll get this result:

The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.

But, like I said, I want to remotely set this option. So I’ll need to connect to the remote computer through a PSSession, to be able to enable this on the remote server.

#Set credentials needed for remote installation
$userName = "user name"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($userName, $password)
$remoteComputer = "computer name"
$session = New-PSSession -ComputerName $remoteComputer -Credential $cred
Invoke-Command -Session $session -ScriptBlock { Enable-WSManCredSSP -Role Server -Force }
Disconnect-PSSession $session | Out-Null
Enable-WSManCredSSP -Role Client -DelegateComputer -Force

So the next time I create a remote session to the server, I can connect using CredSSP:

$session = New-PSSession -ComputerName $remoteComputer -Credential $cred -Authentication Credssp

And I’m able to use my credentials on the remote machine to access the share.

Once I’m done with my automation tasks, I’ll disable CredSSP on the client and server:

#Set credentials needed for remote installation
$userName = "user name"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($userName, $password)
$remoteComputer = "computer name"
#Create remote session and disable WSManCredSSP
$session = New-PSSession -ComputerName $remoteComputer -Credential $cred
Invoke-Command -Session $session -ScriptBlock { Disable-WSManCredSSP Server; }
Disconnect-PSSession $session | Out-Null
Disable-WSManCredSSP -Role Client

You can download both scripts here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s