enable credssp via powershell on windows server 2008 r2

0 comments

Posted on 3rd June 2013 by Mike in Windows 2008 R2

, , , ,

Enable CredSSP is needed when you’re doing a double hop. The example below shows what we’re talking about:

[———-1st hop———] [——————-2nd hop——————————]
Script Executes on Server 1 >>> Script Connects to Server 2 and downloads file from Server 3

On machine that will make 1st hop

1st – Enable group policy:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials
-Enable
-Show list of servers
-Add “wsman/*.domain.com” or “wsman/servername.domain.com” where servername is the name of the machine that makes the first hop
(your allowing the 1st machine to pass cred SSP to *.domain.com machines or to a specific host/server on domain.com)

2nd – Enable WSManCredSSP via Powershell
Enable-WSManCredSSP -Role Client -DelegateComputer *.domain.com -Force

May be necessary but wasnt in our case:
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain -Name WSMan -Value “WSMAN/*.domain.com”

On machine that will make 2nd hop:

Enable WSManCredSSP Via powershell
Enable-WSManCredSSP -Role Server –Force;logoff