blocks|key|182379|text|多亏了this+page，我终于让它正常工作了。它提供了一个脚本，通过直接设置适当的注册表项来设置所需的凭据委派策略。一旦我使用管理员权限运行该脚本，我就能够成功地建立到myserver的CredSSP连接：|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|182380|Enable-WSManCredSSP+-Role+client+-DelegateComputer+*.mydomain.com

$allowed+=+@('WSMAN/*.mydomain.com')

$key+=+'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if+(!(Test-Path+$key))+{
++++md+$key
}
New-ItemProperty+-Path+$key+-Name+AllowFreshCredentials+-Value+1+-PropertyType+Dword+-Force++++++++++++

$key+=+Join-Path+$key+'AllowFreshCredentials'
if+(!(Test-Path+$key))+{
++++md+$key
}
$i+=+1
$allowed+%7C%25+{
++++#+Script+does+not+take+into+account+existing+entries+in+this+key
++++New-ItemProperty+-Path+$key+-Name+$i+-Value+$_+-PropertyType+String+-Force
++++$i%2B%2B
}|code-block|syntax|javascript|182381|entityMap|0|LINK|mutability|MUTABLE|url|http://powertoe.wordpress.com/2011/04/29/enable-credssp-from-a-windows-7-home-client/^0|3|9|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@$A|R|B|S|1|T]]|C|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|C|$G|H]]|$1|I|3|-4|5|6|7|V|8|@]|9|@]|C|$]]]|J|$K|$5|L|M|N|C|$O|P]]]]

I finally got it to work thanks to <a href="http://powertoe.wordpress.com/2011/04/29/enable-credssp-from-a-windows-7-home-client/" rel="noreferrer">this page</a>. It provides a script that sets the required credential delegation policies by setting the appropriate registry keys directly. Once I ran that script with admin privileges, I was able to successfully establish a CredSSP connection to myserver:

<pre><code>Enable-WSManCredSSP -Role client -DelegateComputer *.mydomain.com

$allowed = @('WSMAN/*.mydomain.com')

$key = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
if (!(Test-Path $key)) {
 md $key
}
New-ItemProperty -Path $key -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force 

$key = Join-Path $key 'AllowFreshCredentials'
if (!(Test-Path $key)) {
 md $key
}
$i = 1
$allowed |% {
 # Script does not take into account existing entries in this key
 New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force
 $i++
}
</code></pre>

blocks|key|3003669|text|在服务器上执行以下操作：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3003670|Enable-WSManCredSSP+-Role+Server|code-block|syntax|javascript|3003671|在客户端上执行以下操作：|3003672|set-item+wsman:localhost\client\trustedhosts+-value+*

Enable-WSManCredSSP+-Role+Client+–DelegateComputer+*|3003673|在客户端上使用gpedit.msc启用将新凭据委派给WSMAN/*|offset|length|style|CODE|3003674|展开Local+Computer+Policy，展开Computer+Configuration，展开Administrative+Templates，展开System，然后单击Credential+Delegation.|3003675|In+Settings窗格，双击Allow+Delegating+Fresh+Credentials+with+NTLM-only+Server+Authentication.|unordered-list-item|3003676|In+|ordered-list-item|3003677|Settings对话框，执行following:|3003678|Click+Enabled.|3003679|In+Settings区域，单击Show.|3003680|In+Options，键入<Settings>d26Allow+Delegating+Fresh+Credentials+with+NTLM-only+Server+Authentication+>，然后单击<Options>D27System>。确保选择了Concatenate+OS+defaults+with+input+above，然后单击OK.|3003681|3003682|3003683|3003684|以下命令现在起作用(在出现密码提示后)：|3003685|Invoke-Command+{+dir+\\fileserver\devtools+}+-computer+appserver01+-authentication+credssp+-credential+domain\user|3003686|参见MSDN+forums。|3003687|请参阅TechNet|3003688|entityMap|0|LINK|mutability|MUTABLE|url|http://social.technet.microsoft.com/Forums/windowsserver/en-US/544e2da5-390d-411d-a730-1fceab18334d/network-access-when-using-invokecommand-or-enterpssession?forum=winserverpowershell|1|https://technet.microsoft.com/en-us/hh751273.aspx^0|0|0|0|0|7|A|0|2|L|Q|M|1F|O|26|6|2H|L|0|3|8|G|1Z|0|0|0|8|0|6|7|0|3|8|G|4|1|3|7|E|8|2X|7|3L|14|4U|2|1|0|0|0|0|0|2|B|0|0|3|7|1|0^^$0|@$1|2|3|4|5|6|7|1R|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|1S|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|1T|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|1U|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|1V|8|@$M|1W|N|1X|O|P]]|9|@]|A|$]]|$1|Q|3|R|5|6|7|1Y|8|@$M|1Z|N|20|O|P]|$M|21|N|22|O|P]|$M|23|N|24|O|P]|$M|25|N|26|O|P]|$M|27|N|28|O|P]]|9|@]|A|$]]|$1|S|3|T|5|U|7|29|8|@$M|2A|N|2B|O|P]|$M|2C|N|2D|O|P]]|9|@]|A|$]]|$1|V|3|W|5|X|7|2E|8|@]|9|@]|A|$]]|$1|Y|3|Z|5|X|7|2F|8|@$M|2G|N|2H|O|P]]|9|@]|A|$]]|$1|10|3|11|5|X|7|2I|8|@$M|2J|N|2K|O|P]]|9|@]|A|$]]|$1|12|3|13|5|X|7|2L|8|@$M|2M|N|2N|O|P]|$M|2O|N|2P|O|P]]|9|@]|A|$]]|$1|14|3|15|5|X|7|2Q|8|@$M|2R|N|2S|O|P]|$M|2T|N|2U|O|P]|$M|2V|N|2W|O|P]|$M|2X|N|2Y|O|P]|$M|2Z|N|30|O|P]]|9|@]|A|$]]|$1|16|3|-4|5|6|7|31|8|@]|9|@]|A|$]]|$1|17|3|-4|5|6|7|32|8|@]|9|@]|A|$]]|$1|18|3|-4|5|6|7|33|8|@]|9|@]|A|$]]|$1|19|3|1A|5|6|7|34|8|@]|9|@]|A|$]]|$1|1B|3|1C|5|D|7|35|8|@]|9|@]|A|$E|F]]|$1|1D|3|1E|5|6|7|36|8|@]|9|@$M|37|N|38|1|39]]|A|$]]|$1|1F|3|1G|5|6|7|3A|8|@]|9|@$M|3B|N|3C|1|3D]]|A|$]]|$1|1H|3|-4|5|6|7|3E|8|@]|9|@]|A|$]]]|1I|$1J|$5|1K|1L|1M|A|$1N|1O]]|1P|$5|1K|1L|1M|A|$1N|1Q]]]]

Do the following on the server:
<pre><code>Enable-WSManCredSSP -Role Server
</code></pre>
Do the following on the client:
<pre><code>set-item wsman:localhost\client\trustedhosts -value *

Enable-WSManCredSSP -Role Client –DelegateComputer *
</code></pre>
Use <code>gpedit.msc</code> on the client to enable Delegating Fresh Credentials to WSMAN/*:
<ol>
<li>Expand <code>Local Computer Policy</code>, expand <code>Computer Configuration</code>, expand
<code>Administrative Templates</code>, expand <code>System</code>, and then click <code>Credential Delegation</code>.</li>
<li>In the <code>Settings</code> pane, double-click <code>Allow Delegating Fresh Credentials with NTLM-only Server Authentication</code>.</li>
<li>In the <code>Allow Delegating Fresh Credentials with NTLM-only Server Authentication</code> dialog box, do the following:</li>
<li>Click <code>Enabled</code>.</li>
<li>In the <code>Options</code> area, click <code>Show</code>.</li>
<li>In Value, type <code>WSMAN/*</code>, and then click <code>OK</code>. Make sure that
<code>Concatenate OS defaults with input above</code> is selected, and then
click <code>OK</code>.</li>
</ol>
The following command now works (after a password prompt):
<pre><code>Invoke-Command { dir \\fileserver\devtools } -computer appserver01 -authentication credssp -credential domain\user
</code></pre>
See <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/544e2da5-390d-411d-a730-1fceab18334d/network-access-when-using-invokecommand-or-enterpssession?forum=winserverpowershell" rel="nofollow noreferrer">MSDN forums</a>.
See <a href="https://technet.microsoft.com/en-us/hh751273.aspx" rel="nofollow noreferrer">TechNet</a>

blocks|key|2791310|text|根据Akira上面的回答，在gpedit.msc中，我必须设置“允许使用NTLM-only+Server+Authentication委派新的凭据”，而不是“允许委派新的凭据”。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2791311|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Expanding upon Akira's answer above, in gpedit.msc I had to set "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" rather than "Allow Delegating Fresh Credentials".

blocks|key|179894|text|我必须完全自动化我的解决方案，特别是让您进入GPO编辑器的解决方案中的部分。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|179895|1)启用远程PS|179896|Enable-PSRemoting+-force|code-block|syntax|javascript|179897|2)启用CredSSP|179898|Enable-WSManCredSSP+-Role+Server+-Force
Enable-WSManCredSSP+-Role+Client+-DelegateComputer+locahost+-Force
Enable-WSManCredSSP+-Role+Client+-DelegateComputer+$env:COMPUTERNAME+-Force
Enable-WSManCredSSP+-Role+Client+-DelegateComputer+$domain+-Force
Enable-WSManCredSSP+-Role+Client+-DelegateComputer+"*.$domain"+-Force
Set-Item+-Path+"wsman:\localhost\service\auth\credSSP"+-Value+$True+-Force|179899|3)通过注册表启用NTLM新凭据：|179900|New-Item+-Path+HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation+-Name+AllowFreshCredentialsWhenNTLMOnly+-Force
New-ItemProperty+-Path+HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly+-Name+1+-Value+*+-PropertyType+String|179901|只有在这之后，我才能够以本地管理员的身份启动powershell脚本，该脚本能够在PSSession中运行并执行AD操作。|179902|$secpasswd+=+ConvertTo-SecureString+$adPassword+-AsPlainText+-Force
$credential+=+New-Object+System.Management.Automation.PSCredential+("$domain\Admin",+$secpasswd)
$adminSession+=+New-PSSession+-Credential+$credential+-Authentication+Credssp;

$sb+=+{
++param($p1,+$p2)

++whoami

++New-ADUser+....
}

Invoke-Command+-Session+$adminSession+-Script+$sb+-ArgumentList+$domain,$userPassword|179903|entityMap^0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|X|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|Y|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|Z|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|10|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|11|8|@]|9|@]|A|$]]|$1|O|3|P|5|F|7|12|8|@]|9|@]|A|$G|H]]|$1|Q|3|R|5|6|7|13|8|@]|9|@]|A|$]]|$1|S|3|T|5|F|7|14|8|@]|9|@]|A|$G|H]]|$1|U|3|-4|5|6|7|15|8|@]|9|@]|A|$]]]|V|$]]

I had to the need to fully automate my solution, particularly the part section in the solution that has you go into the GPO editor. 

1) Enable Remote PS

<pre><code>Enable-PSRemoting -force
</code></pre>

2) Enable CredSSP

<pre><code>Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer locahost -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $env:COMPUTERNAME -Force
Enable-WSManCredSSP -Role Client -DelegateComputer $domain -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*.$domain" -Force
Set-Item -Path "wsman:\localhost\service\auth\credSSP" -Value $True -Force
</code></pre>

3) Enable NTLM Fresh Credentials through the Registery:

<pre><code>New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowFreshCredentialsWhenNTLMOnly -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly -Name 1 -Value * -PropertyType String
</code></pre>

Only after this was I able to launch powershell script as the local admin that was able to run in a PSSession and preform AD actions.

<pre><code>$secpasswd = ConvertTo-SecureString $adPassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$domain\Admin", $secpasswd)
$adminSession = New-PSSession -Credential $credential -Authentication Credssp;

$sb = {
 param($p1, $p2)

 whoami

 New-ADUser ....
}

Invoke-Command -Session $adminSession -Script $sb -ArgumentList $domain,$userPassword
</code></pre>

I'm new to powershell and I'm having troubles using credentials delegation. I have the following script:

<pre><code>$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\Administrator
Invoke-Command -Session $session -ScriptBlock { &lt;Some PowerShell Command&gt; }
</code></pre>

Before running it, I did the following:

<ol>
<li>Run <code>Enable-PSRemoting</code> on myserver. </li>
<li>Run <code>Enable-WSManCredSSP Server</code> on myserver. </li>
<li>Run <code>Restart-Service WinRM</code> on myserver. </li>
<li>Run <code>Enable-WSManCredSSP Client –DelegateComputer myserver</code> on the client. </li>
<li>Rebooted both the server and the client.</li>
</ol>

But once I run the script, I get the following error message:

<pre><code>[myserver] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of
 the user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -&gt; Administrative Templates -&gt; System -&gt; Credentials Delega
tion -&gt; Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "m
yserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.
 + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
 + FullyQualifiedErrorId : PSSessionOpenFailed
</code></pre>

I checked the policies as mentioned in the error message but everything seems to be fine. What else could be blocking me?

Powershell remoting - Policy does not allow the delegation of user credentials

服务器

Windows

我是powershell的新手，在使用凭证委派时遇到了问题。我有以下脚本：$session = New-PSSession myserver -Authentication CredSSP -Credential DOMAIN\AdministratorInvoke-Command -Session $session ...

问Powershell remoting -策略不允许委派用户凭据
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Powershell remoting -策略不允许委派用户凭据EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Powershell remoting -策略不允许委派用户凭据
EN