.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Delegation when using CredSSP and PowerShell
Understand delegation when using CredSSP
John Savill
March 29, 2017
1 Min Read
Q. I'm using CredSSP for management of remote machines that involve a hop. What should the delegation be set to?
A. CredSSP can be used at times when Kerberos is not usable and enables easy hopping of credentials, i.e. machine a connects to machine b and machine b then performs actions against machine c using the credential. A common use case could be a machine in a workgroup or untrusted domain connecting to a jumpbox in the target domain and then from that machine issuing commands against that domain. From that client the delegation would require two entries
One for the jumpbox itself which could be an IP address since it may be accessed from a machine without name resolution
One for the actual machines itself that will be managed from the jumpbox, e.g. *.domain.com
These would be prefixed with WSMAN/. For example:
Open the local policy of the client machine (gpedit.msc)
Navigate to Computer Configuration - Administrative Templates - System - Credentials Delegation
Double click Allow delegating fresh credentials
Set to Enabled and click Show... for the Add servers to the list:
Add the entries (one per line), e.g.
- WSMAN/
- WSMAN/*.savilltech.netClick OK to all dialogs
Access via CredSSP should now work and enable management of the remote machines in the target.
Note if you are not using Kerberos or certificate authentication and instead NTLM the policy you need to set is also Allow delegating fresh credentials with NTLM-only server authentication.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
