none
Is it possible to use the MS-WSMV WMI provider to query root\directory\ldap? RRS feed

  • Question

  • It seems that every WMI query against the root\directory\ldap namespace fails to return any results.

    Similarly, if I am running a remote Powershell process over WSMV, any attempts to use System.DirectoryServices objects results in the error: "An operations error occurred."

    I am worried that the WSMV server does not forward credentials to the domain controller, causing these access problems.  Is that the case?  Is there a way to enable regular behavior?  Normally a process running on the target machine using the domain credentials I used for WSMV authentication would have access to these resources.

    Tuesday, August 13, 2013 3:42 AM

Answers

  • David sent sample test script to dochelp @ Microsoft dot com to help us reproduce the problem on windows machine. Provided following details which he is reviewing. His main interest is with implementing option similar to -ad i.e. allow delegate.

    1. Required configuration steps for CredSSP on windows machines

    Try the following instructions to setup CredSSP and add "-ad" flag to winrs commandline

    From admin powershell:-
     set-item WSMan::localhost\Client\Auth\CredSSP true
     set-item WSMan::localhost\service\Auth\CredSSP true

    Delegation of credentials 
     Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System ->Credentials Delegation -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.

        execute command "restart-service winrm" from powershell

    2. Test the configuration  
       Example command from regular command prompt. Note the "-" at the end. 
       C:\>winrs -ad -r:http://Server01.mydomain10.com:5985 -u:mydomain10\administrator powershell –File c:\Test.ps1 -

       Explanation on switch -ad
       -a[llow]d[elegate] - Specifies that the user's credentials can be used to access a remote share, for example, found on a different machine than the target endpoint.

    3. Note to implementers regarding -ad option.
       When using –ad option, the client essentially uses CredSSP. Please refer to open spec MS-CSSP to implement this. Section "3.1.4.1.28   Security" from MS-WMSV talks about how authentication is carried out. Since encryption is used for confidentiality and integrity protection when using HTTP as the transport, Section 2.2.9.1 , 2.2.9.1.3 provide details on how it is done in the case when –ad option is used i.e. in the case of CredSSP.


    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications


    Thursday, August 29, 2013 4:32 PM
    Moderator

All replies

  • Hi,

    Thank you for your question. One of our team members will review this and follow-up soon.

    Thanks,

    Edgar

    Tuesday, August 13, 2013 3:10 PM
    Moderator
  • Hello fhv_dave,
                          I am the engineer who will be working with you on this issue. I am currently researching the problem and will provide you with an update soon.


    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Wednesday, August 14, 2013 2:08 PM
    Moderator
  • Thanks Sreekanth, I look forward to hearing your answer!
    Thursday, August 15, 2013 6:35 PM
  • David sent sample test script to dochelp @ Microsoft dot com to help us reproduce the problem on windows machine. Provided following details which he is reviewing. His main interest is with implementing option similar to -ad i.e. allow delegate.

    1. Required configuration steps for CredSSP on windows machines

    Try the following instructions to setup CredSSP and add "-ad" flag to winrs commandline

    From admin powershell:-
     set-item WSMan::localhost\Client\Auth\CredSSP true
     set-item WSMan::localhost\service\Auth\CredSSP true

    Delegation of credentials 
     Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System ->Credentials Delegation -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com.

        execute command "restart-service winrm" from powershell

    2. Test the configuration  
       Example command from regular command prompt. Note the "-" at the end. 
       C:\>winrs -ad -r:http://Server01.mydomain10.com:5985 -u:mydomain10\administrator powershell –File c:\Test.ps1 -

       Explanation on switch -ad
       -a[llow]d[elegate] - Specifies that the user's credentials can be used to access a remote share, for example, found on a different machine than the target endpoint.

    3. Note to implementers regarding -ad option.
       When using –ad option, the client essentially uses CredSSP. Please refer to open spec MS-CSSP to implement this. Section "3.1.4.1.28   Security" from MS-WMSV talks about how authentication is carried out. Since encryption is used for confidentiality and integrity protection when using HTTP as the transport, Section 2.2.9.1 , 2.2.9.1.3 provide details on how it is done in the case when –ad option is used i.e. in the case of CredSSP.


    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications


    Thursday, August 29, 2013 4:32 PM
    Moderator