IIS WinRM Extension - Kerberos authentication does not work- RRS feed

  • Question

  • User-65819655 posted


    I need to setup a couple of servers with IIS + WinRM extension (for high availability and load balancing purpose). 

    As a reference, I used the following:

    For now I am just working with a single server

    • I create a dedicated pool running under a domain account
    • I create a custom DNS record to be used as alias for load balancing
    • website has been configured:
      • for HTTPS with custom port (10000) + trusted SSL certificate
      • authentication is setup for Negociate:Kerberos (+ useAppPoolCredentials=true)
    • SPN are declared as required
    • etc.

    If I use Kerberos Authentication Tester targeting https://FQDN-ALIAS:10000, I get a successful kerberos authentication and related ticket.

    However if I try to establish a session from a client computer...

    New-PSSession -ConnectionUri "https://FQDN-ALIAS:10000"

    I got an access denied (401)... On client computer, I can see following error in the event log :

    "The authentication mechanism (Kerberos) requested by the client is not supported by the server.

    Possible authentication mechanisms reported by server: Negotiate"

    Below is web.config file of the website :

    <?xml version="1.0" encoding="UTF-8"?>
              <Plugin Name="PowerShellplugin" Filename="%windir%\system32\pwrshplugin.dll" SDKVersion="1" XmlRenderingType="text">
                    <Param Name="PSVersion" Value="2.0" />
                    <Resource ResourceUri="http://schemas.microsoft.com/powershell/Microsoft.PowerShell" SupportsOptions="true">
                        <Capability Type="Shell" />
                <access sslFlags="Ssl" />
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useKernelMode="false" useAppPoolCredentials="true">
                            <clear />
                            <add value="Negotiate:Kerberos" />
                        <extendedProtection tokenChecking="None" />
                <add name="WSMan" />

    Thursday, October 9, 2014 12:54 PM


  • User1183424175 posted


    According to your description, I suggest that you can try setting the windows authention provider as Negotiate instead of Negotiate:kerberos

                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, October 10, 2014 5:40 AM