Enable CredSSP for PowerShell

Q. How do I enable CredSSP for hosts to enable hopping in remote PowerShell?

A. When using the normal Kerberos authentication you cannot hop between remote servers, for example I cannot connect to serverA and then perform a remote action on serverB. To enable this type of authentication you need to use CredSSP. CredSSP needs to be enabled on the PowerShell client machine, on the intermediary machine and the ability to delegate fresh credentials must be enabled via policy.

  • Enable CredSSP for the client
    Set-Item WSMAN:\localhost\client\auth\credssp –value $true
  • Enable CredSSP for the service on the intermediary server (run this command on all intermediary servers that may be hopped from)
    Set-Item WSMAN:\localhost\service\auth\credssp –value $true
  • Enable the delegation of fresh credentials for a list of target servers, while you can do all servers it would be better to restrict to a set, for example all machines in the domain. Open a Group Policy Object and navigate to Computer Configuration > Policies > Administrative Templates > System > Credential Delegation > Allow Delegation of Fresh Credentials. Enable the policy and set the value via the Show button, e.g. *.savilltech.net then click OK. Once the change is made the GPO will need time to be applied to the machines.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish