Q. I'm using CredSSP for management of remote machines that involve a hop. What should the delegation be set to?
A. CredSSP can be used at times when Kerberos is not usable and enables easy hopping of credentials, i.e. machine a connects to machine b and machine b then performs actions against machine c using the credential. A common use case could be a machine in a workgroup or untrusted domain connecting to a jumpbox in the target domain and then from that machine issuing commands against that domain. From that client the delegation would require two entries
- One for the jumpbox itself which could be an IP address since it may be accessed from a machine without name resolution
- One for the actual machines itself that will be managed from the jumpbox, e.g. *.domain.com
These would be prefixed with WSMAN/. For example:
- Open the local policy of the client machine (gpedit.msc)
- Navigate to Computer Configuration - Administrative Templates - System - Credentials Delegation
- Double click Allow delegating fresh credentials
- Set to Enabled and click Show... for the Add servers to the list:
- Add the entries (one per line), e.g.
- WSMAN/<IP of jump box>
- WSMAN/*.savilltech.net - Click OK to all dialogs
Access via CredSSP should now work and enable management of the remote machines in the target.
Note if you are not using Kerberos or certificate authentication and instead NTLM the policy you need to set is also Allow delegating fresh credentials with NTLM-only server authentication.
