Login AM uses WinRM in combination with CredSSP authentication for executing the dashboard commands that need to be run on a remote computer. For detailed instruction on how to enable WinRM on your systems, see below.
PowerShell remoting supports an authentication mechanism called CredSSP. CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). See this page for more infoCredSSP protocol specification.
Enable from PowerShell
Client configuration
The client configuration needs to be configured on the machine from where you wish to run the Login AM User Interface, this is typically the server where you installed Login AM.
To enable client-side CredSSP to allow user credential delegation to all computers in the domain, run the command:
Enable-WSManCredSSP -Role client -DelegateComputer *
Server configuration
The server configuration needs to be configured on the servers/machines you wish to connect to.
To enable the server to accept delegated credentials:
Enable-WSManCredSSP -Role server
Hint: Use -Force parameter for Enable-WSManCredSSP to suppress the Y/N question on the prompt.
Enabling 'WinRM & CredSSP' using group policy (GPO)
To enable client-side CredSSP to allow user credential delegation for WinRM for all computers in the domain.local domain, set the following policy values:
- Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
- Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled
To enable the server to accept delegated credentials, set the following policy value:
- Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow CredSSP authentication → Set to enabled
To enable the CredSSP and the PowerShell execution policy to "Bypass" you can follow this example. The CredSSP is set while using the Computer Configuration Policies and the PoSh execution policy is set using the Computer Configuration Preferences.
To enable CredSSP in workgroup mode
If you want to enable CredSSP in workgroup mode, you need to set the following policy values:
- Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
- Computer Policy\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials with NTLM-only server authentication → Set to enabled and add WSMAN/* to list of computers, check the box for Concatenate OS defaults with input above
- Computer Policy\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication → Set to enabled
When running into trouble...
To check whether the CredSSP and WinRM is working correctly, you can test this manually by starting PowerShell on the Login AM server and entering the following command:
First check the port on which the WinRM has been configured:
get-item wsman:\localhost\listener\listener*\port | Select-Object value
The result could be the default port 5985.
From here you can check by starting a command on the remote computername based on the port number we found out earlier.
winrs -r:http://remotecomputername:5985 "echo %computername%"
This should return the value of the computername variable from the remote machine.
When the above-mentioned isn't working in your scenario, you might need to restore and/or restart the WinRM service configuration. The undermentioned methods could resolve the problem.
winrm quickconfig -quiet
Or you can do it the radical way:
# Disable/revoke winrm/remoting Start-Service winrm winrm invoke restore winrm/config Disable-PSRemoting -Force Disable-WSManCredSSP -Role Client Disable-WSManCredSSP -Role Server Stop-Service winrm # Enable remoting Enable-PSRemoting -Force Enable-WSManCredSSP -Role Server -Force Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force winrm enumerate winrm/config/listener
When trying to connect from a 64-bit machine to a 32-bit machine, you can use the following commandlet on the 32-bit machine:
Enable-PSRemoting -Force