Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:configuration_-_winrm [2021/10/20 05:03]
kucerar sddl registry
+++ tutorial:adm:configuration_-_winrm [2021/11/29 13:35]
kucerar improved https setting
@@ Line 50: / Line 50: @@
   * Kerberos
 <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code>
-  * CredSSP
+  * CredSSP - HTTPS muse be enabled - see steps below: [[tutorial:adm:configuration_-_winrm?#https_support|HTTPS setting]]
 <code>winrm set winrm/config/service/auth '@{CredSSP="true"}'
 winrm set winrm/config/client/auth '@{CredSSP="true"}'
@@ Line 139: / Line 139: @@
 <code>winrm set winrm/config/service '@{CertificateThumbprint=""}'</code>
 The configuration of certificate thumbprint in the Listener should remain there.
+=== CredSSP Delegate credentials error ===
+If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off
+<code>
+<class 'requests_credssp.exceptions.AuthenticationException'>("Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual ''",)
+</code>
+To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service.
+The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy.
+The correct value is WSMAN/SPN of your server. For example
+<code>
+WSMAN/myComputer.myDomain.com
+WSMAN/*.myDomain.com
+</code>
+You need to restart the computer after that.
 === x509 attribute parsing error ===