2

I have this setup, I have a HostPC which will connect with say two remote PCs in order to run PowerShell commands. So, I will be using WSManConnectionInfo for this with HTTPS. I am just stuck around concept of using Kerberos and Certificate in terms of authenticating connection.

Here are the questions:

  • From what I understand from WSMan is that WSManConnectionInfo will be using both Kerberos and Negotiate as methods of authentication by default to verify the connection is done on a domain or through localhost. Am I right?
  • If I am using Certificate authentication, how can I setup the WinRM on HostPC and remote PCs using certificates from code below in PowerShell Script
New-SelfSignedCertificate `
  -DnsName <PCName> `
  -CertStoreLocation <Path> `
  -KeyLength 2048 `
  -NotAfter (Get-Date).AddYears(xx) `
  -TextExtension @("2.5.29.37={text}<OID Purpose>")

The way I approached this by using the video tutorial below,

Configure WinRM over HTTPS with Self signed Certificate

So when I used the WinRM for setting up the Listener, I used the remote PCs certificates to be used in the Listener

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<RemotePCName>";CertificateThumbprint="<RemotePC Certificate Thumbprint>"}'

Then in the HostPC I just used

connectionInfo = new WSManConnectionInfo(new Uri($"https://{MachineName}:5986/wsman"),"http://schemas.microsoft.com/powershell/Microsoft.PowerShell", new PSCredential(<username>,<password>);

and it worked fine with no issues, but, I have a feeling it should be done like this. What have I done wrong and also can you please advice on the part about the certificate creation, import and export as I am confused at how it should be done.

I know that in the WSManConncetion I can use

connectionInfo.CertificateThumbprint = <Certificate Thumbprint>
Improve this question
2
  • The whole point of Kerberos is to establish mutual trust between all the PCs and a KDC (usually the DCs in an Active Directory domain), so that the KDC can (cryptographically) instruct both the caller and callee as to whether to trust the identity of the other. Using hardcoded self-signed certificates is thus the opposite of Kerberos. Commented Jul 10 at 10:24
  • @MathiasR.Jessen Thank you for the comment. So, if I understood this correctly, because they are on the same domain it will be able to form connection with the remote PCs. Also, can you advice on certificate approach on how I should do it? like what do I need to setup on Host PC and remote PCs? Commented Jul 10 at 10:36

1 Answer 1

Reset to default
3

From what I understand from WSMan is that WSManConnectionInfo will be using both Kerberos and Negotiate as methods of authentication by default to verify the connection is done on a domain or through localhost. Am I right?

Negotiate (or SPNEGO) is a protocol that negotiates with the remote side as to what protocol to use. Generally Kerberos is favoured then NTLM, but other options are available, and it depends what's been enabled on each side.

But WSMan locks on to Kerberos-only if no explicit credentials are passed and the local side is in a AD domain. This is to prevent an insecure fallback to NTLM. So you should not supply credentials when in an AD domain, the default logged-in user will be used with Kerberos. Note you must use the DNS name not the IP address, or you will get NTLM fallback.

If I am using Certificate authentication, how can I setup the WinRM on HostPC and remote PCs using certificates from code below in PowerShell Script

The property connectionInfo.CertificateThumbprint is for client-side authentication, so not relevant here. In other words, with the right CA setup, you can use a certificate to authenticate the client using Kerberos PKINIT, which means you don't need to be logged in as a particular user and you don't need to specify a password.

A self-signed server certificate is rather insecure, and not much better at all than not using TLS altogether. And given you should be using Kerberos in a domain, you don't need TLS anyway, as Kerberos can provide secure encryption over standard HTTP. Please take a read of the docs.

Ideally you should use a private CA to generate the certificate. With Windows CA you can do this using Group Policy. WSMan will autoamtically pick up an available certificate for the server-side.

You only need a certificate if falling back to NTLM, as it's a relatively insecure protocol (and on the way to being deprecated). Kerberos (at the time of writing) cannot be used outside of a domain, so NTLM is the next best and really should have TLS as extra protection. You should also turn on the Strict option for Channel Binding.

While it is possible to force a self-signed server certificate using the following command:

New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force

I strongly recommend you don't do this, as it just slows the connection down without giving any meaningful security. You need a proper CA-signed certificate.

Whatever you do, do NOT specify Basic or Digest authentication, they are extremely insecure.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Would this approach also be helpful to have a signed CA Certificates so that it can be used for this situation Self Signed Certificates: Create your own Certificate Authority (CA) for local HTTPS sites
Yes, as long as both sides trust the CA certificate. Would be easier to use Windows Server CA, or otherwise there are tools that can do this, eg EJBCA, FreeIPA, EasyPKI etc. If you want to use it as client-side auth then you also need to make sure that it has the correct OID to store the user SID, which is a bit messy. I found this as a good summary of authentication.
Thank you Charlie, that was really Helpful! Slight question, I looked at the part of the command for Certificate (password-less) based authentication in WinRM Part for the -Credential (Get-Credential) in Create the winrm user mapping I would assume I will need to use the server credentials or client credentials (sorry if it is dumb question)
Not sure, but I think it's the credentials for the server to impersonate when that certificate connects
Appreciate it, I just had quick look at it but I will take my time later to read it. Thank you for the help and the advice.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.