WinRM not working with local admin credentials

2,493 views
Skip to first unread message

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 4, 2021, 7:40:22 PM3/4/21
to ntsys...@googlegroups.com
Attempting to use an account in the local Administrators group set up by LAPS to do sweet powershell stuff.

Can someone tell me what I'm missing?

Invoke-command works fine with my own privileged credentials (not a DA account, just my workstation admin account, which is a member of a domain security group that's listed in the local administrators group).

I've checked group policies, and I've got the following set so that I can delegate credentials:

Administrative Templates/System/Credentials Delegation settings seem to be correct:
"Allow delegating fresh credentials" is enabled, with a server designation of "WSMAN/*.example.com"
"Allow delegating fresh credentials with NTLM-Only server authentication" is enabled, with a server designation of "WSMAN/*.example.com"

Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Client settings seem to be correct:
"Allow CredSSP authentication" is enabled

Windows Components/Windows Remote Management (WinRM)/WinRM Service settings seem to be correct:
"Allow CredSSP authentication" is enabled

I've verified with gpresult /h that the above settings are propagated to the target machine (it1).

I used the LAPS client to get the password and copy/paste it into the popup for get-credential. But the following doesn't work, and emits the error message below.

Just to be completely sure, I also looked in the registry, and yes, the GPO settings are reflected there - but they don't show in gpedit.msc. That doesn't seem to matter, because setting them in gpedit.msc doesn't seem to fix anything.

Thanks,

Kurt

$cred = get-credential it1\localadmin
invoke-command -Credential $cred -ComputerName it1 -Authentication credssp -ScriptBlock { dir c:\temp }

[it1] Connecting to remote server it1 failed with the following error message : The WinRM client cannot process
the request. A computer policy does not allow the delegation of the user credentials to the target computer. Use
gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System ->
Credentials Delegation -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN
appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one
of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the
about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (it1:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : -2144108125,PSSessionStateBroken

Michael B. Smith

unread,
Mar 5, 2021, 8:22:51 AM3/5/21
to ntsys...@googlegroups.com

Is the SPN present?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7R8q%2Ba%2BBmLCJoch7AUrf__zqzhJLck1mC7kc_pL7hCnQ%40mail.gmail.com.

Aakash Shah

unread,
Mar 5, 2021, 9:59:11 AM3/5/21
to ntsys...@googlegroups.com

Try disabling UAC remote restrictions by setting LocalAccountTokenFilterPolicy=1 at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction

 

-Aakash Shah

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff, GSEC/GCIH/PCIP
Sent: Thursday, March 4, 2021 4:40 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] WinRM not working with local admin credentials

 

Attempting to use an account in the local Administrators group set up by LAPS to do sweet powershell stuff.

--

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 5, 2021, 10:53:02 AM3/5/21
to ntsys...@googlegroups.com
This is what I see for the target machine:

CN=IT1,OU=Workstations,OU=Secure,DC=example,DC=com
WSMAN/it1
WSMAN/it1.example.com
TERMSRV/IT1
TERMSRV/it1.example.com
RestrictedKrbHost/IT1
HOST/IT1
RestrictedKrbHost/it1.example.com
HOST/it1.example.com

Kurt

Michael B. Smith

unread,
Mar 5, 2021, 11:13:07 AM3/5/21
to ntsys...@googlegroups.com

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 5, 2021, 11:17:29 AM3/5/21
to ntsys...@googlegroups.com
I configured that regentry, rebooted, and tried again - unsuccessful.

Kurt

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 5, 2021, 11:20:30 AM3/5/21
to ntsys...@googlegroups.com
TrustedHostsList: 10.5.50.*,10.5.40.*,10.5.35.*

My machine is in the 10.5.50.* subnet, the target machine is in the 10.5.40.* subnet.

Kurt

Michael B. Smith

unread,
Mar 5, 2021, 11:40:34 AM3/5/21
to ntsys...@googlegroups.com

Ok, you got me. No more immediate ideas. You might check out Tobias’ book on PS Remoting.

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 5, 2021, 4:07:21 PM3/5/21
to ntsys...@googlegroups.com
Is that the LeanPub "Secrets of PowerShell Remoting"?

I've got that, and will read it again...

Kurt
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/f7663e29e41545cf9e65848cdeb8bc17%40smithcons.com.

Michael B. Smith

unread,
Mar 5, 2021, 5:40:19 PM3/5/21
to ntsys...@googlegroups.com
This is the one I have:

03/11/2010 01:47 PM 813,484 Administrator's Guide to Windows PowerShell Remoting.pdf
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce611VJa8qZPpe8FbmiLwjK5RjvnoApQoHsCgRV7r41FuQ%40mail.gmail.com.

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 5, 2021, 5:50:44 PM3/5/21
to ntsys...@googlegroups.com
Mine seems to be a bit newer:

Secrets of PowerShell Remoting
The DevOps Collective, Inc.
This book is for sale at http://leanpub.com/secretsofpowershellremoting
This version was published on 2018-10-28

and seems to be available here as well:
https://github.com/devops-collective-inc

And although Tobias Weltner isn't mentioned on the Github page, he is
listed as a contributing author in the PDF I have.

Kurt
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/67e47bc6329548e9aa259e6ad2ce7c82%40smithcons.com.

Michael B. Smith

unread,
Mar 5, 2021, 10:09:12 PM3/5/21
to ntsys...@googlegroups.com

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 8, 2021, 2:57:51 PM3/8/21
to ntsys...@googlegroups.com
Partial success - I've got it working against one machine, and now I have to figure out all of the gyrations I went through to make it work, so that I can replicate it against the domain.

Also, feeling a bit foolish that I didn't think about his before.

This works:
$cred = get-credential it1\localadmin
invoke-command -ComputerName it1.example.com -Credential $cred -Authentication credssp -ScriptBlock { dir c:\support }

This doesn't:
$cred = get-credential it1\localadmin
invoke-command -ComputerName it1 -Credential $cred -Authentication credssp -ScriptBlock { dir c:\support }

I haven't confirmed it yet, but this command seems to be necessary on the remote machine:
Enable-WSManCredSSP -Role server

Matt Stork

unread,
Mar 9, 2021, 1:11:00 PM3/9/21
to ntsys...@googlegroups.com

I use -Authentication Negotiate and it works well for me. I just tested with CredSSP and it failed with the same error as yours. Try Negotiate and see if it works for you as well.

-Matt

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff, GSEC/GCIH/PCIP
Sent: Thursday, March 04, 2021 6:40 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] WinRM not working with local admin credentials

 

Attempting to use an account in the local Administrators group set up by LAPS to do sweet powershell stuff.

--

Aakash Shah

unread,
Mar 9, 2021, 1:11:00 PM3/9/21
to ntsys...@googlegroups.com

Since I believe you mentioned that domain accounts work but local accounts don’t, check that you don’t have either of the following entries under “Deny access to this computer from the network”:

 

NT AUTHORITY\Local account

NT AUTHORITY\Local account and member of Administrators group

 

-Aakash Shah

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff, GSEC/GCIH/PCIP

Sent: Friday, March 5, 2021 8:17 AM
To: ntsys...@googlegroups.com

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 10, 2021, 2:14:37 PM3/10/21
to ntsys...@googlegroups.com
Unfortunately, the negotiate argument didn't fix anything.

I'm combing through GPO settings to see what else might be blocking.

The machines on which WinRM works are my test machines, with limited GPO settings, and on those it doesn't work, get the full panoply of GPO stuff - and that's an ongoing problem.

Kurt

Kurt Buff, GSEC/GCIH/PCIP

unread,
Mar 10, 2021, 2:18:30 PM3/10/21
to ntsys...@googlegroups.com
Good call - that was set at one point, but I've undone that, and now only Guests are denied.

It's something else.

Now, as part of my troubleshooting, I've moved one of my test machines to a production OU to compare the RSOP, and see what else might be blocking.

Kurt

Reply all
Reply to author
Forward
0 new messages