Enable-WSManCredSSP

Enables Credential Security Support Provider (CredSSP) authentication on a computer.

Syntax

Enable-WSManCredSSP
      [[-DelegateComputer] <String[]>]
      [-Force]
      [-Role] <String>
      [<CommonParameters>]

Description

This cmdlet is only available on the Windows platform.

The Enable-WSManCredSSP cmdlet enables CredSSP authentication on a client or on a server computer. When CredSSP authentication is used, the user credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from another remote session. For example, if you want to run a background job on a remote computer, use this kind of authentication.

Enable-WSManCredSSP can enable CredSSP on a Client or a Server. To enable CredSSP on a client, specify Client in the Role parameter. Clients delegate explicit credentials to a server when server authentication is achieved. To enable CredSSP on a server, specify Server in the Role parameter. A server acts as a delegate for clients. For more details, see Role in the Parameters section.

Caution

CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

Examples

Example 1: Delegate client credentials

This example allows the client credentials to be delegated to a computer by using the fully qualified domain name.

Enable-WSManCredSSP -Role "Client" -DelegateComputer "Server02.fabrikam.com"

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

Example 2: Delegate client credentials to all computers in a domain

This example allows the client credentials to be delegated to all the computers in the fabrikam.com domain. The asterisk (*) wildcard specifies all computers.

Note

Using wildcards with the DelegateComputer parameter can enable CredSSP on more computers than necessary.

Enable-WSManCredSSP -Role "Client" -DelegateComputer "*.fabrikam.com"

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

Example 3: Delegate client credentials to multiple computers

This example allows the client credentials to be delegated to multiple computers.

$servers = "server02.fabrikam.com", "server03.fabrikam.com", "server04.fabrikam.com"
Enable-WSManCredSSP -Role "Client" -DelegateComputer $servers

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

The $servers variable contains a list of server names. Enable-WSManCredSSP uses the Role parameter to specify the Client role. The DelegateComputer gets the computer names from the $servers variable.

Example 4: Allow a computer to act as a delegate

This example allows a computer to act as a delegate for another. The Enable-WSManCredSSP cmdlet, shown in the earlier examples, only enables CredSSP authentication on the client, and specifies the remote computers that can act on its behalf. In order for the remote computer to act as a delegate for the client, the CredSSP item in the Service node of WSMan must be set to true. This example sets the CredSSP item in the Service node of WSMan to true.

Enable-WSManCredSSP -Role "Server"

Example 5: Allow a computer to act as a delegate by using Set-Item

This example allows a computer to act as a delegate for another computer. The Enable-WSManCredSSP commands, shown in the earlier examples, enable CredSSP authentication only on the client computer, and they specify the remote computers that can act on behalf of the client computer. For the remote computer to act as a delegate for the client computer, the CredSSP item in the Service directory of the WSMan provider must be set to true.

Connect-WSMan -ComputerName "server02"
Set-Item -Path "WSMan:\server02\service\auth\credSSP" -Value $True

Connect-WSMan creates a connection to the remote computer, server02. Set-Item uses the Path parameter to specify the WSMan provider's location. The Value parameter sets the Service setting to true.

Parameters

-DelegateComputer

Specifies servers to which client credentials are delegated. The best practice is to use fully qualified domain names.

Wildcards are accepted, but can enable CredSSP on more computers than necessary.

If the Role parameter is Client, you must specify this parameter. If Role is Server, don't specify this parameter.

Type:String[]
Position:1
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:True

-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Role

Specifies whether to enable CredSSP as a client or as a server. The acceptable values for this parameter are: Client and Server.

If you specify Client, the following actions are performed. These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

  • Enables CredSSP on the client.
  • Sets the WS-Management setting \<localhost|computername\>\Client\Auth\CredSSP to true.
  • Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

If you specify Server, the following actions are performed. This policy setting allows the server to act as a delegate for clients.

  • Enables CredSSP on the server.
  • Sets the WS-Management setting \<localhost|computername\>\Service\Auth\CredSSP to true.
Type:String
Accepted values:Client, Server
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

You can't pipe objects to this cmdlet.

Outputs

XmlElement

If CredSSP authentication is successfully enabled, this cmdlet returns an XMLElement object.

Notes

To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet.