Setting up the CredSSP access for multi-hop
I've previously shown the way to set up the multi-hop access with RunAs, but nowadays the PowerShell team had added the great commands that make the CredSSP setup easy, and it became easier to use than RunAs. Here is how to do it.
On the server side do:
$null = Enable-WSManCredSSP -Role Server -Force
On the client side do:
$null = Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force
$null = mkdir -Force "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials"
Set-ItemProperty -LiteralPath "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials" -Name "my" -Value "wsman/*" -Type STRING
$null = mkdir -Force "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"
Set-ItemProperty -LiteralPath "HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly" -Name "my" -Value "*" -Type STRING
Obviously, on the intermediate machines you'll need to set up both the server and client sides.
Instead of "*" you can use a pattern or a comma-separated list of patterns of the host names. "*" just enables it for all the hosts.
The messing with the Registry is needed to set up the group policies to allow CredSSP. You can do the same from the GUI. But the command line is easier, and also can be used on NanoServer that has no GUI, and can be executed remotely in general.
By the way, while at it, here is a reminder of how to set up the client side for the plain basic connection:
Set-Item -Force WSMan:\localhost\Client\TrustedHosts "*"
Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted "true"
Comments
- Anonymous
March 22, 2017
Hello Sergey,I would caution people against using the last two lines you provided (TrustedHosts and AllowUnencrypted). These two setting severely reduce the security of any machine.Best regards,Ashley McGlone@GoateePFE