Configuring CredSSP for WinRM with PowerShell
Introduction
In some cases, a PowerShell script may need to access resources outside of a Secret Server machine. This requires that any credentials are delegated to the target machine. Secret Server runs PowerShell scripts using Windows Remote Management (WinRM), which does not allow credential delegation by default. To allow credential delegation, the Secret Server machine must have Credential Security Support Provider (CredSSP) enabled. CredSSP is a security support provider that allows a client to delegate credentials to a target server.
CredSSP is required for dealing with double-hop scenarios. Per Microsoft documentation:
-
CredSSP authentication is intended for environments where Kerberos delegation cannot be used.
-
Support for CredSSP was added to allow a user to connect to a remote server and have the ability to access a second-hop machine, such as a file share.
-
The first hop we make to their DE or web node (Enter-PSSession localhost), if they are running code locally from there and then doing a remote call (e.g. testing access to a remote UNC path) it will then require the second hop.
Enabling CredSSP for WinRM in Secret Server
-
Go to Administration > Configuration. The General tab of the Configuration page appears:
-
Click Edit button at the bottom of the page.
-
Click to select the Enable CredSSP Authentication for WinRM checkbox.
-
Click the Save button.
Configuring CredSSP for WinRM on the Secret Server Machine
-
Log on to the machine running Secret Server.
-
Run Windows PowerShell as an administrator.
-
Enable client-side CredSSP by running:
Enable-WSManCredSSP -Role Client -DelegateComputer <Secret Server fully qualified machine name>
For example:
Enable-WSManCredSSP -Role Client -DelegateComputer <localhost>
localhost is the actual string that Secret Server uses to generate the PowerShell run space. Sometimes customers need both localhost and FQDN entries. In theory, those entries should be the same, thus not needing a second one. -
Enable server-side CredSSP by running:
Enable-WSManCredSSP -Role Server
-
The Web server always uses a specified account to run the PowerShell scripts. Considerations:
-
Ensure that account is added to the "Remote Management Users" local group on each Web server.
-
For RPCs with custom password changers, this would be "Change Password Using," and then select "Privileged Account."
-
For PowerShell password changers in the classic UI, this would be "Run PowerShell Using" and can alternatively be configured as the "Default Privileged Account" at the template level.
-
For custom dependencies using PowerShell scripts, this would be the "Run As" secret.
-
If you use any form of extensible discovery, this account needs to be the first secret that is linked to the scanner. Any additional secrets linked to the scanner are typically associated with authentication to the destination system.
-
Configuring CredSSP for WinRM on a Distributed Engine
You can alternatively configure CredSSP and the credential delegation to occur from your distributed engines by changing this setting at the site level:
-
Go to Admin > Distributed Engine. The Distribute Engine Configuration page appears:
-
Click the site panel button for the desired DE. The panel expands, displaying the DEs for that site:
-
Click the site name link at the top of the panel. The site's page appears:
-
Scroll down to see the Enable CredSSP Authentication for WinRM listing in the Advanced Site Configuration section.
-
If it is not enabled, log on to each of your distributed engines where CredSSP is enabled.
-
Run Windows PowerShell as an administrator.
-
Enable client-side CredSSP by running:
Enable-WSManCredSSP -Role Client -DelegateComputer <distributed engine fully qualified machine name>
Enable-WSManCredSSP -Role Client -DelegateComputer <localhost>
localhost is the actual string that the Distributed Engine is using to generate the run space. Some customers need to have both the localhost and FQDN entry. In theory, both entries above should be the same, thus not needing a second entry. -
Enable server-side CredSSP by running:
Enable-WSManCredSSP -Role Server
-
The distribute engine will always use a specified account to run the PowerShell scripts. Considerations:
- Ensure that account is added to the "Remote Management Users" local group on each engine where CredSSP is enabled.
- For RPCs with custom password changers, this would be "Change Password Using," and then select "Privileged Account".
- For PowerShell password changers in the classic UI, this would be "Run PowerShell Using" and can alternatively be configured as the "Default Privileged Account" at the template level.
- For custom dependencies using PowerShell scripts, this would be the "Run As" secret.
- If you use any form of extensible discovery, this account needs to be the first secret that is linked to the scanner. Any additional secrets linked to the scanner are typically associated with authentication to the destination system.
-
Ensure that the "Allow Delegating Fresh Credentials" group policy setting is enabled and is not disabled by a domain policy.
-
Open the gpedit.msc file on your Secret Server machine or distributed engine, depending on where CredSSP is enabled
-
Navigate to Computer Settings > Administrative Templates > System > Credentials Delegation.
-
Edit the "Allow Delegating Fresh Credentials" setting.
-
Verify that it is Enabled.
-
Click "Show..."
-
Verify that the list contains an entry that begins with "wsman/" and ends with the fully qualified machine name of the Secret Server machine or distributed engine.
-
If destination systems are non-domain joined or on another domain without a trust, it may be required for you to add in an entry for each destination system you wish to run the script or do discovery on (as examples). Consider collecting a list of all destination FQDNs for your specific use case and adding them all in one go.
-
-
Depending on where CredSSP is configured (Web server or distributed engine), run the following commands:
- View existing entries:
Get-Item WSMan:\localhost\Client\TrustedHosts
- Adding computers if your TrustedHosts list is empty:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <ComputerName>,[<ComputerName>]
- Adding computers to your existing TrustedHosts list:
$curList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$curList, Server01"
- View existing entries:
-
On the destination system, if it is on a separate domain without a trust or non-domain joined, add the reverse WSman entries so the destination system trusts either Secret Server or your engines. Run one of the following commands:
Web server:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <Web Server 1 FQDN>,[<Web Server 2 FQDN>]
Engine:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <Distributed Engine 1 FQDN>, [<Distributed Engine 2 FQDN>]
-
Restart either Secret Server or the engine you just trusted.
Enabling CredSSP on Secret Server Agents for PowerShell Script Dependencies
Remote agents were upgraded to distributed engines in Secret Server version 8.9. This section only applies to Secret Server versions 8.8.000020 and earlier.
Remote Agents are only needed for networks that are not directly connected to the network that Secret Server is installed on. If you are not using remote agents, disregard this section.
By default, Secret Server agents inherit the "Enable CredSSP Authentication for WinRM" setting from Secret Server; however, you can override this in the agent configuration file as follows:
-
On the machine running the agent, locate the agent program files. By default, they are at
C:\Program Files (x86)\Thycotic Software Ltd\Secret Server Agent
. -
Edit the
SecretServerAgentService.exe.Config
file in a text editor. -
Locate the "UnencryptedSettings" section.
-
Add a new key to that section for EnableCredSSPForWinRM and set it to true. For example:
<add key="EnableCredSSPForWinRM" value="true" />
-
Restart the "Secret Server Agent" service to apply the setting.