Category Archives: WSManCredSSP

Get-WSManCredSSP

NAME
    Get-WSManCredSSP

SYNOPSIS
    Gets the Credential Security Service Provider-related configuration for the client.

SYNTAX
    Get-WSManCredSSP [<CommonParameters>]

DESCRIPTION
    The Get-WSManCredSPP cmdlet gets the Credential Security Service Provider-related configuration of the client and the server. The output indicates whether Credential Security Service Provider (CredSSP) authentication is enabled or disabled. It also displays configuration information for the AllowFreshCredentials policy of CredSSP. When you use CredSSP authentication, the user’s credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from within another remote session. For example, you use this type of authentication if you want to run a background job on a remote computer.

    The cmdlet performs the following actions:

        – Gets the WS-Management CredSSP setting on the client (<localhost|computername>\Client\Auth\CredSSP).
        – Gets the Windows CredSSP policy setting AllowFreshCredentials.
        – Gets the WS-Management CredSSP setting on the server (<localhost|computername>\Service\Auth\CredSSP).

    Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

    To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet. To enable CredSSP authentication, use the Enable-WSManCredSSP cmdlet.

PARAMETERS
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        This cmdlet does not accept any input.

OUTPUTS
    None
        This cmdlet does not generate any output.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-WSManCredSSP

    Description
    ———–
    This command displays CredSSP configuration information for both the client and server.

    The output identifies that this computer is or is not configured for CredSSP.

    If the computer is configured for CredSSP, this is the output:

    “The machine is configured to allow delegating fresh credentials to the following target(s): WSMan/server02.accounting.fabrikam.com”

    If the computer is not configured for CredSSP, this is the output:

    “The machine is not configured to allow delegating fresh credentials.”

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141443
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

Enable-WSManCredSSP

NAME
    Enable-WSManCredSSP

SYNOPSIS
    Enables Credential Security Service Provider (CredSSP) authentication on a client computer.

SYNTAX
    Enable-WSManCredSSP [-Role] <string> [[-DelegateComputer] <string>] [<CommonParameters>]

DESCRIPTION
    The Enable-WSManCredSPP cmdlet enables CredSSP authentication on a client or on a server computer. When CredSSP authentication is used, the user’s credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from within another remote session. For example, you use this type of authentication if you want to run a background job on a remote computer.

    This cmdlet is used to enable CredSSP on the client by specifying Client in the Role parameter. The cmdlet then performs the following:

        – Enables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.
        – Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.
        – Note: These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

    This cmdlet is used to enable CredSSP on the server by specifying Server in the Role parameter. The cmdlet then performs the following:

     – Enables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to true.
     – Note: This policy setting allows the server to act as a delegate for clients.

    Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

    To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet.

PARAMETERS
    -DelegateComputer <string>
        Allows the client credentials to be delegated to the server or servers that are specified by this parameter. The value of this parameter should be a fully qualified domain name.

        If the Role parameter specifies Client, the DelegateComputer parameter is mandatory.
        If the Role parameter specifies Server, the DelegateComputer parameter is not allowed.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Role <string>
        Accepts one of two possible values: Client or Server. These values specify whether CredSSP should be enabled as a client or as a server.

        If the Role parameter specifies Client, the cmdlet performs the following:

            – Enables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.
            – Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.
            – Note: These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

        If the Role parameter specifies the Server, the cmdlet performs the following:

         – Enables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to true.
         – Note: This policy setting allows the server to act as a delegate for clients.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        This cmdlet does not accept any input.

OUTPUTS
    System.Xml.XmlElement
        If CredSSP authentication is successfully enabled, this cmdlet generates an XMLElement object.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Enable-WSManCredSSP -Role client -DelegateComputer server02.accounting.fabrikam.com

    cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
    lang        : en-US
    Basic     : true
    Digest     : true
    Kerberos    : true
    Negotiate : true
    Certificate : true
    CredSSP     : true

    Description
    ———–
    This command allows the client credentials to be delegated to the server02 computer.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Enable-WSManCredSSP -Role client -DelegateComputer *.accounting.fabrikam.com

    cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
    lang        : en-US
    Basic     : true
    Digest     : true
    Kerberos    : true
    Negotiate : true
    Certificate : true
    CredSSP     : true

    Description
    ———–
    This command allows the client credentials to be delegated to all the computers in the accounting.fabrikam.com domain.

    ————————– EXAMPLE 3 ————————–

    C:\PS>Enable-WSManCredSSP -Role client -DelegateComputer server02.accounting.fabrikam.com, server03.accounting.fabrikam.com, server04.accounting.fabrikam.com

    cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
    lang        : en-US
    Basic     : true
    Digest     : true
    Kerberos    : true
    Negotiate : true
    Certificate : true
    CredSSP     : true

    Description
    ———–
    This command allows the client credentials to be delegated to multiple computers.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Enable-WSManCredSSP -Role server

    Description
    ———–
    This command allows a computer to act as a delegate for another. The Enable-WSManCredSSP cmdlet (shown in the earlier examples) only enables CredSSP authentication on the client, and specifies the remote computers that can act on it’s behalf. In order for the remote computer to act as a delegate for the client, the CredSSP item in the Service node of WSMan must be set to true.

    ————————– EXAMPLE 5 ————————–

    C:\PS>Connect-WSMan server02
    Set-Item WSMan:\server02\service\auth\credSSP -value $true

    Description
    ———–
    This command allows a computer to act as a delegate for another computer. The Enable-WSManCredSSP commands that are shown in the earlier examples enable CredSSP authentication only on the client computer, and they specify the remote computers that can act on behalf of the client computer. For the remote computer to act as a delegate for the client computer, the CredSSP item in the Service directory of the WSMan provider must be set to true.

    In this example, the first command creates a connection to the remote server02 computer.

    The second command sets the credSSP value on the remote server02 computer, which allows the remote computer to act as a delegate.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141442
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Get-WSManCredSSP
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

Disable-WSManCredSSP

NAME
    Disable-WSManCredSSP

SYNOPSIS
    Disables Credential Security Service Provider (CredSSP) authentication on a client computer.

SYNTAX
    Disable-WSManCredSSP [-Role] <string> [<CommonParameters>]

DESCRIPTION
    The Disable-WSManCredSPP cmdlet disables CredSSP authentication on a client or on a server computer. When CredSSP authentication is used, the user’s credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from within another remote session. For example, you use this type of authentication if you want to run a background job on a remote computer.

    The cmdlet is used to disable CredSSP on the client by specifying Client in the Role parameter. The cmdlet then performs the following:

        – Disables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to false.
        – Removes any WSMan/* setting from the Windows CredSSP policy AllowFreshCredentials on the client.

    The cmdlet is used to disable CredSSP on the server by specifying Server in the Role parameter. The cmdlet then performs the following:

     – Disables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to false.

    Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

    To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet.

PARAMETERS
    -Role <string>
        Accepts one of two possible values: Client or Server. These values specify whether CredSSP should be disabled as a client or as a server.

        If the cmdlet is used to disable CredSSP on the client by specifying Client in the Role parameter, then the cmdlet performs the following:

            – Disables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to false.
            – Removes any WSMan/* setting from the Windows CredSSP policy AllowFreshCredentials on the client.

        If the cmdlet is used to disable CredSSP on the server by specifying Server in the Role parameter, the cmdlet performs the following:

         – Disables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to false.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        This cmdlet does not accept any input.

OUTPUTS
    None
        This cmdlet does not generate any output.

NOTES

        To enable CredSSP authentication, use the Enable-WSManCredSSP cmdlet.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Disable-WSManCredSSP -Role Client

    Description
    ———–
    This command disables CredSSP on the client, which prevents delegation to servers.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Disable-WSManCredSSP -Role Server

    Description
    ———–
    This command disables CredSSP on the server, which prevents delegation from clients.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141438
    Connect-WSMan
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManCredSSP
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan