CredSSP auth failing while using Invoke-Command | winrm client cannot process the request

Vedant Sethia 0 Reputation points
2023-05-02T07:40:55.77+00:00

Hi,

I am trying to run the below powershell script using AWS ssm automation. This script will run as SSM Administrator and will try to enable the iscsi service by running the script as domain user account authenticated with CredSSP. Windows version: Windows_Server-2019-English-Full-Base

[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$DomainNetBIOSName,

[Parameter(Mandatory=$true)]
[string]$AdminSecret,

[Parameter(Mandatory=$true)]
[string]$DomainDNSName
)

$HostName = hostname
# Getting Password from Secrets Manager for AD Admin User
$AdminUser = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString
$ClusterAdminUser = $DomainNetBIOSName + '\' + $AdminUser.UserName
# Creating Credential Object for Administrator
$Credentials = (New-Object PSCredential($ClusterAdminUser,(ConvertTo-SecureString $AdminUser.Password -AsPlainText -Force)))
Invoke-Command -ScriptBlock {
Write-Output "Iscsi Setup started"
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Start-service -Name msiscsi
Set-Service -Name msiscsi -StartupType Automatic
Write-Output "Iscsi Setup completed"
} -Credential $Credentials -ComputerName $HostName -Authentication credssp

Scenario: I have to run the same script on 2 AWS EC2 instances where I join both the EC2 instances to Active Directory > enable CredSSP on both > Run the script mentioned above

Script Steps:

SSM runs the script using Administrator account. However, I need to run the script using the domain user account. Hence I decided to use CredSSP based auth with Invoke Command.

Domain Join is successful. Below script is used to enable CredSSP. This works fine.

[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$DomainDNSName
)

$HostName = hostname
$HostAddress = "{0}.{1}" -f $HostName, $DomainDNSName

Enable-WSManCredSSP -Role "Server" -Force
Enable-WSManCredSSP -Role "Client" -DelegateComputer $HostAddress -Force

Now when I try to run the powershell script to configure iscsi. It works fine on the first EC2 Instance (SqlFSx1.example.com) but throws the below error on Instance2 (SqlFSx2.example.com).

[SqlFSx2] Connecting to remote server SqlFSx2 failed with the following error message : The WinRM client cannotprocess the request. A computer policy does not allow the delegation of the user credentials to the target computerbecause the computer is not trusted. The identity of the target computer can be verified if you configure the WSMANservice to use a valid certificate using the following command: winrm set winrm/config/service'@{CertificateThumbprint="<thumbprint>"}'  Or you can check the Event Viewer for an event that specifies that thefollowing SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPNusing setspn.exe .  If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computerand you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look atthe following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> AllowFresh Credentials with NTLM-only Server Authentication.  Verify that it is enabled and configured with an SPNappropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be oneof the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For moreinformation, see the about_Remote_Troubleshooting Help topic.    + CategoryInfo          : OpenError: (SqlFSx2:String) [], PSRemotingTransportException    + FullyQualifiedErrorId : -2144108124,PSSessionStateBroken

Not sure what is happening?

I have added the domain user to Administrators group as well.

Have tried the below commands as well. But, facing the same issue on the second EC2 instance.

Specify the SPN to create
$spn = "WSMAN/$HostName"

# Configure the local Group Policy to allow fresh credentials with NTLM-only server authentication

$policyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"
if (!(Test-Path $policyPath)) { New-Item $policyPath -Force | Out-Null }
Set-ItemProperty $policyPath "AllowFreshCredentials" -Value 1
Set-ItemProperty $policyPath "ConcatenateDefaults_AllowFreshCredentials" -Value 1
Set-ItemProperty $policyPath "AllowFreshCredentialsWhenNTLMOnly" -Value 1
# Configure the local computer to allow delegation to the remote server using NTLM-only authentication

Invoke-Command -ComputerName $HostName -ScriptBlock {

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "AllowFreshCredentials" -Value "1"

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "ConcatenateDefaults_AllowFresh" -Value "1"
}
Set-Item -Path "WSMan:\localhost\Client\AllowFreshCredentials" -Value 1
Set-Item -Path "WSMan:\localhost\Client\Auth\CredSSP" -Value 1
Set-Item -Path "WSMan:\localhost\Client\TrustedHosts" -Value $computerName -Force
# Create the SPN on the remote server using setspn.exe
Invoke-Command -ComputerName $HostName -ScriptBlock {
param($spn)
         setspn -s $spn $env:COMPUTERNAME
} -ArgumentList $spn 

Not sure what am I missing here.Any help would be appreciated.

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,223 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,056 Reputation points
    2023-05-03T13:45:58.62+00:00

    Hello there,

    This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.

    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/credssp-encryption-oracle-remediation

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments