Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 13, 2018 8:35 PM
I have a Windows 7 VDI and am trying to set this with administrator PS (amusing I want to allow everything):
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force
Once I run it, I get
cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang : en-US
Basic : Basic
Digest : true
Kerberos : true
Negotiate : true
Certificate : true
CredSSP : true
and then I run Get-WSManCredSSP to get this result:
The machine is not configured to allow delegating fresh credentials.
This computer is not configured to receive credentials from a remote client computer.
I have tried a lot of things, including changing registry keys, editing the GPO policy in all ways possible - it always stays this way.
I have run this on several other PCs and servers with success. Any ideas why it does not work?
All replies (20)
Thursday, March 15, 2018 7:03 AM ✅Answered | 2 votes
I made step-by-step tutorial for myself.. maybe should help u
1. On PC/Notebook check current status
**Get-WSManCredSSP
**The machine is not configured to allow delegating fresh credentials.
This computer is not configured to receive credentials from a remote client computer.
Enable CredSSP authentication
Enable-WSManCredSSP -Role Client -DelegateComputer *.domain.com
**Get-WSManCredSSP
**The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*.domain.com
This computer is not configured to receive credentials from a remote client computer.
2. Second (middle) server
**Get-WSManCredSSP
**The machine is not configured to allow delegating fresh credentials.
This computer is not configured to receive credentials from a remote client computer.
.. fix this by
Enable-WSManCredSSP -Role Server
**Get-WSManCredSSP
**The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
Should be working.
Sometimes u can get error message, like
.. Connecting to remote server **** failedwith the following error message: The winRM client cannot processs the request. Ac computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted.
I think it can be fixed by editing local policy (on your notebook)
Allow delegating fresh credentials with NTLM-only server authentication
Then u can use Invoke-command -computername "targetserver" -credential $creds -authentication CredSSP -scriptblock {get-item \depotserver\sharedfiles\*}
Friday, November 9, 2018 12:22 PM ✅Answered | 1 vote
Hi
I found the solution for you.
The whole think is about writing registry key
There is also another way. I was working on this problem almost two weeks and now I know that sometimes you can have problem with command Enable-WSManCredSSP -Role client -DelegateComputer "my host"
That is because command has no access for registry editing even when you are running PowerShell as administrator. I think it's Microsoft bug and I will create a ticket for MS Support. So when you first create registry keys you will be able to run command Enable-WSManCredSSP -Role client -DelegateComputer "my host without problem.
But then you cannot disable it. So you have to delete registry keys and after that you can run command Disable-WSManCredSSP - role Client
However there is workaround and you can do it by this script
https://github.com/bolvua/Enable-WSManCredSSP
Tuesday, March 13, 2018 8:45 PM
Enable-WSManCredSSP -Role client -DelegateComputer * -Force
\(ツ)_/
Tuesday, March 13, 2018 8:50 PM
I am not trying to configure a server, but my PC as a client, to alow delegating fresh credentials. I have another Windows 10 desktop where when I ran the command I get Get-WSManCredSSP, it stays configured:
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*
This computer is not configured to receive credentials from a remote client computer.
Tuesday, March 13, 2018 9:09 PM
From: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-6
The Enable-WSManCredSSP cmdlet enables Credential Security Support Provider (CredSSP)authentication on a client or on a server computer. When CredSSP authentication is used, the user credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from another remote session. For example, if you want to run a background job on a remote computer, use this kind of authentication.
+ Example 1: Delegate client credentials (check it out)
Also the same command and expected results work on 3 other computers I have, so it is not a matter of principle how it works, but why it does not change my settings on that particular machine.
Tuesday, March 13, 2018 9:12 PM
You still have to enable server to get the delegation to list on the client. Check all computers that show delegation enabled and you will see server is enable also.
\(ツ)_/
Tuesday, March 13, 2018 9:15 PM
Run these two commands on all systems to see.
winrm get winrm/config/client
winrm get winrm/config/service
\(ツ)_/
Tuesday, March 13, 2018 9:56 PM
On the server everything is configured and working, as it should. I can work with my other clients (machines) without a problem. My problem is, again, on this particular machine.
Even thou winrm get winrm/config/client returns the proper configuration:
Client
NetworkDelayms = 30000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true [Source="GPO"]
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
I still get an error when trying to create a remote PS session with CredSSP:
Connecting to remote server XXXXXX failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials
to the target computer because the computer is not trusted
Tuesday, March 13, 2018 10:00 PM
The client has to be trusted by the server. Be sure the server trust the client computer. That is what the error is telling you.
Notice that the settings are coming from a GPO:
Basic = true [Source="GPO"]
Digest = true
Kerberos = true
Negotiate = true
On the server run:
winrm get winrm/config/service
\(ツ)_/
Tuesday, March 13, 2018 10:12 PM
The server is configured and working with all other clients.
This thread it not about server configuration, rather it concerns the cmdlet and why it does not change the settings on the client machine itself. After running:
Enable-WSManCredSSP -Role "Client" -DelegateComputer *
the configuration still stays the same, as "The machine is not configured to allow delegating fresh credentials."
where on all other machines it should and does say: "The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*"
Tuesday, March 13, 2018 10:16 PM
But is your client in the trusted hosts list on that server?
\(ツ)_/
Tuesday, March 13, 2018 10:23 PM
On the server: Get-WSManCredSSP returns:
The machine is configured to allow delegating fresh credentials to the following target(s): WSMAN/*
This computer is configured to receive credentials from a remote client computer.
What my problem is, is why the cmdlet does not change the client machine settings.
Tuesday, March 13, 2018 10:29 PM
That is not the command I asked you to run.
What hosts is the machine allowed to receive requests from?
The message tells you who it can delegate to not where it can receive requests from.
\(ツ)_/
Tuesday, March 13, 2018 11:10 PM
There is no option to specify hosts to receive from on the server side. The TrustedHosts is only used for the client.
But here as you wish the outputs from the server:
winrm get winrm/config/client
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true [Source="GPO"]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter = * [Source="GPO"]
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
The server can receive connection from other clients. The configuration there is of no interest.
The problem still remains that I cannot enable this particular machine with client configurations.
Tuesday, March 13, 2018 11:52 PM
There is something wrong. Perhaps you workstation has an issue with the domain. In order to use CredSSP you must connect as a Domain Admin or a Local Admin unless the security has been set otherwise.
You can test authentication easily like this:
Test-WsMan -Authentication Credssp -ComputerName remote -Credential domain\userid
\(ツ)_/
Wednesday, March 14, 2018 9:42 AM
I am connected as a local local admin on the machine.
The test returns this:
Test-WsMan : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859171" Machine="XXX"><f:Message>The WinRM client cannot process the request. A computer policy does not allow the delegation of the
user credentials to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled
and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.
However the policy is enabled, as you can see on the screenshot below:
Thursday, March 15, 2018 9:39 AM
The thing is, the Enable-WSManCredSSP -Role Server works, the Enable-WSManCredSSP -Role Client does not.
I am interested in fixing this:
The machine is not configured to allow delegating fresh credentials.
into to this
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*
After I run -Role Client the client it stays the same on this particular machine (VDI with Windows 7). On my other Windows 7 and 10 machines it works...
Saturday, March 17, 2018 12:13 PM
Run gpresult and look for the following entry. It will show if the GP is actually working or if it is disabled by domain policy.
System/Credentials Delegation
Policy |
Setting |
Winning GPO |
||||||||
Allow Delegating Fresh Credentials |
Enabled |
Local Group Policy |
||||||||
|
||||||||||
\(ツ)_/
Wednesday, March 21, 2018 1:45 PM
There isn't a GPO applied for Allow Delegating Fresh Credentials setting.
Tuesday, August 13, 2019 1:39 PM
I did a inplace upgrade on my SCVMM 2019 according to :
https://www.microsoft.com/upgradecenter/scenario/WS2016-on-prem-to-WS2019
Afterwards, I had this issue :
Error (20406)
VMM could not enumerate instances of class Msvm_VirtualSystemManagementService on the server APX-CLU-HPV02.apx.local. Failed with error HRESULT 0x803381a2 The WinRM client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change the client configuration and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com
The fix was :
Enable-WSManCredSSP -Role Server
Get-WSManCredSSP
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.