Windows 10: CredSSP auth failing while using Invoke-Command winrm client cannot process the request

Hi,I am trying to run the below powershell script using AWS ssm automation. This script will run as SSM Administrator and will try to enable the iscsi service by running the script as domain user account authenticated with CredSSP. Windows version: Windows_Server-2019-English-Full-Base[CmdletBinding]param[ParameterMandatory=$true][string]$DomainNetBIOSName,[ParameterMandatory=$true][string]$AdminSecret,[ParameterMandatory=$true][string]$DomainDNSName$HostName = hostname# Getting Password from Secrets Manager for AD Admin User$AdminUser = ConvertFrom-Json -InputObject Get-SECSecretVa

:)

 

Powershell cmdlet : Invoke- command with CredSSP authentication fails with error as below

Error :

Invoke-Command-Authentication Credssp -Credential $Credential-ComputerName node1 -Scriptblock $test
[centralserver:] Connecting to remote server centralserver:failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials.
Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.

For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo: OpenError: (centralserver:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : -2144108125,PSSessionStateBroken

Task: We want to create a two node cluster using PowerShell script from node1 by passing credentials using CredSSP menthod from central server. We are getting above error while we run it from centralserver. (Servers : centralsever , node1 & node 2)

Script :

Already Tried Below things :

1.Checked for this GPO which is highlighted in error above, it is enabled & SPN are defined .

2.We verified that node creation using GUI is successful

3.We also checked WinRM connectivity locally & remotely. It is running fine & engine is healthy.

4.Worked with Microsoft Team (TrackingID#2206270010001298) however they could not find solution.

 

WinRS/WinRM can't access UNC path with CredSSP (Multi-Hop, Double-Hop)

Hi

I signed up on this forum because I am desperately seeking a solution for my problem.

I am trying to send a WinRS command from clientX to server1, which inlcudes a UNC path reference to a shared folder on server2. I understood that therefore I need to perform credential delegation from clientX to server1 ("double-hop"). Both clientX and server1 actually have access to that shared folder on server2.

clientX -> server1 -> server2

I followed all available instructions regarding WinRM and CredSSP configurations, like this: [Multi-Hop Support in WinRM - Win32 apps and it appears to me that everything was set up as intended.

hostname of clientX is 'clientX' (acquired from cmd command 'hostname')
full computer name of clientX is 'clientX' (acquired from control panel > system)
user domain of clientX is 'CLIENTX' (acquired from cmd command 'echo %userdomain%')
hostname of server1 is 'server1' (acquired from cmd command 'hostname')
full computer name of server1 is 'server1' (acquired from control panel > system)
user domain of server1 is 'SERVER1' (acquired from cmd command 'echo %userdomain%')
the unc path on server2 is \SERVER2\sharedF\test
on server1, I can successfully run the command:

dir \\SERVER2\sharedF\test

on clientX, I can aswell successfully run the command:

dir \\SERVER2\sharedF\test

on clientX, I can successfully run the command:

winrs.exe -r:http://SERVER1:5985 -u:adminOnserver1 -p*Tongueass4server1 "dir c:"

on clientX, I fail to run the command:

winrs.exe -r:http://SERVER1:5985 -u:adminOnserver1 -p*Tongueass4server1 "dir \\SERVER2\sharedF\test"

as I receive the error message "access is denied". And that is the problem.

on clientX, the power shell command

Get-WSManCredSSP

returns:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/SERVER1
This computer is not configured to receive credentials from a remote client computer.

on clientX, the cmd command

winrm get winrm/config

returns:

Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 200.0.0.145,CLIENTX,200.0.0.159,SERVER1
Service
RootSDDL = O:NSG:BAD*Tongue(A;;GA;;;BA)(A;;GR;;;IU)S*Tongue(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Klicke in dieses Feld, um es in vollständiger Größe anzuzeigen.
on server1, the power shell command "Get-WSManCredSSP" returns:

The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.

on server1, the cmd command

winrm get winrm/config

returns:

Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 200.0.0.145,CLIENTX,200.0.0.159,SERVER1
Service
RootSDDL = O:NSG:BAD*Tongue(A;;GA;;;BA)(A;;GR;;;IU)S*Tongue(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Klicke in dieses Feld, um es in vollständiger Größe anzuzeigen.
on server1, the cmd command

winrm e winrm/config/listener

returns:

Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 169.254.229.41, 200.0.0.159, ::1, fe80::5465:9195:eabb:b7e7%11, fe80::c056:f6db:8f7f:e529%9

Any ideas? Thanks a lot in advance.

 

WinRS/WinRM can't access UNC path with CredSSP (Double-Hop)

I am trying to access a shared folder using unc path on server2 from clientX via WinRS to server1.

clientX -> server1 -> server2

I followed all available instructions regarding WinRM and CredSSP configurations on clientX and server1 and it appears that everything was done as intended.

hostname of clientX is 'clientX' (acquired from cmd command 'hostname')

full computer name of clientX is 'clientX' (acquired from control panel > system)

user domain of clientX is 'CLIENTX' (acquired from cmd command 'echo %userdomain%')

hostname of server1 is 'server1' (acquired from cmd command 'hostname')

full computer name of server1 is 'server1' (acquired from control panel > system)

user domain of server1 is 'SERVER1' (acquired from cmd command 'echo %userdomain%')

the unc path on server2 is \SERVER2\sharedF\test

on server1, I can successfully run the command:

on clientX, I can successfully run the command:

on clientX, I can successfully run the command:

on clientX, I fail to run the command:

on clientX, the power shell command "Get-WSManCredSSP" returns:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/SERVER1

This computer is not configured to receive credentials from a remote client computer.

on clientX, the cmd command "winrm get winrm/config" returns:

on server1, the power shell command "Get-WSManCredSSP" returns:

The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.

on server1, the cmd command "winrm get winrm/config" returns:

on server1, the cmd command "winrm e winrm/config/listener" returns:

Did I do anything wrong? Any ideas?

*** moved from german to english Community ***