locked
IIS WinRM Extension - Kerberos authentication does not work- RRS feed

  • Question

  • User-65819655 posted

    Hello,

    I need to setup a couple of servers with IIS + WinRM extension (for high availability and load balancing purpose). 

    As a reference, I used the following:

    For now I am just working with a single server

    • I create a dedicated pool running under a domain account
    • I create a custom DNS record to be used as alias for load balancing
    • website has been configured:
      • for HTTPS with custom port (10000) + trusted SSL certificate
      • authentication is setup for Negociate:Kerberos (+ useAppPoolCredentials=true)
    • SPN are declared as required
    • etc.

    If I use Kerberos Authentication Tester targeting https://FQDN-ALIAS:10000, I get a successful kerberos authentication and related ticket.

    However if I try to establish a session from a client computer...

    New-PSSession -ConnectionUri "https://FQDN-ALIAS:10000"

    I got an access denied (401)... On client computer, I can see following error in the event log :

    "The authentication mechanism (Kerberos) requested by the client is not supported by the server.

    Possible authentication mechanisms reported by server: Negotiate"

    Below is web.config file of the website :

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
    <system.management.wsmanagement.config>
          <PluginModules>
            <OperationsPlugins>
              <Plugin Name="PowerShellplugin" Filename="%windir%\system32\pwrshplugin.dll" SDKVersion="1" XmlRenderingType="text">
               <InitializationParameters>
                    <Param Name="PSVersion" Value="2.0" />
                </InitializationParameters>
                <Resources>
                    <Resource ResourceUri="http://schemas.microsoft.com/powershell/Microsoft.PowerShell" SupportsOptions="true">
                        <Capability Type="Shell" />
                    </Resource>
                </Resources>
              </Plugin>
            </OperationsPlugins>
          </PluginModules>
        </system.management.wsmanagement.config>
    
            <security>
                <access sslFlags="Ssl" />
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useKernelMode="false" useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate:Kerberos" />
                        </providers>
                        <extendedProtection tokenChecking="None" />
                    </windowsAuthentication>
                </authentication>
            </security>
            <modules>
                <add name="WSMan" />
            </modules>
        </system.webServer>
    </configuration>
    



    Thursday, October 9, 2014 12:54 PM

Answers

  • User1183424175 posted

    Hi,

    According to your description, I suggest that you can try setting the windows authention provider as Negotiate instead of Negotiate:kerberos

     <windowsAuthentication>
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, October 10, 2014 5:40 AM