Winrm quesiton

Fabricio Urbina 0 Reputation points
2024-04-12T15:55:26.31+00:00

Hello, I have a question regarding winrm.

Is there any way to authentication with Winrm and this value '@{AllowUnencrypted="false"}' ?

I´d like to know if is possible the authentication with this value in false, authentication type kerberos via http.

Thanks.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,899 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marcin Policht 24,450 Reputation points MVP
    2024-04-12T17:20:23.6533333+00:00

    Yes, it is possible to authenticate with WinRM (Windows Remote Management) using Kerberos authentication over HTTP and specify the option AllowUnencrypted as false. This setting ensures that only encrypted communication is allowed, enhancing security.

    To achieve this, you would typically configure WinRM on the client and server to use Kerberos authentication and enable encryption. Here's how you can do it:

    1. Configure WinRM on the Server: ensure that the HTTP listener is configured to use Kerberos authentication, and restart the WinRM service
         Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $true
         Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
         
         Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $true
         
         Restart-Service WinRM
         
      
    2. Configure WinRM on the Client:
         Set-Item -Path WSMan:\localhost\Client\AllowUnencrypted -Value $false
         Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "ServerHostName"
      
      

    After configuring WinRM on both the client and server, you should be able to authenticate using Kerberos over HTTP with encryption enforced (AllowUnencrypted set to false). Ensure that the client is allowed to communicate with the server (specified in TrustedHosts), and both machines are part of the same domain or in trusted domains for Kerberos authentication to work seamlessly.


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.