Cmdlets

Choose a cmdlet from the list on the left or search for a specific cmdlet. Choose a cmdlet from the list or search for a specific cmdlet.
About Help  Providers
 

Enable-WSManCredSSP

Enable-WSManCredSSP

microsoft.wsman.management.dll

Synopsis

Enables Credential Security Support Provider (CredSSP) authentication on a client or on a server computer.

Syntax

Enable-WSManCredSSP [-Role] [-DelegateComputer] [-Force] [<CommonParameters>]

Detailed Description

The Enable-WSManCredSPP cmdlet enables CredSSP authentication on a client or on a server computer. When CredSSP authentication is used, the user's credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from within another remote session. For example, you use this type of authentication if you want to run a background job on a remote computer.

This cmdlet is used to enable CredSSP on the client by specifying Client in the Role parameter. The cmdlet then performs the following:

- Enables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.

- Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

- Note: These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

This cmdlet is used to enable CredSSP on the server by specifying Server in the Role parameter. The cmdlet then performs the following:

- Enables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to true.

- Note: This policy setting allows the server to act as a delegate for clients.

Caution: CredSSP authentication delegates the user's credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet.

Parameters

-DelegateComputer <String[]>

Allows the client credentials to be delegated to the server or servers that are specified by this parameter. The value of this parameter should be a fully qualified domain name.

If the Role parameter specifies Client, the DelegateComputer parameter is mandatory.

If the Role parameter specifies Server, the DelegateComputer parameter is not allowed.

Aliases

None

Required?

false

Position

2

Default value

None

Accept pipeline input?

false

Accept wildcard characters?

false

-Force <SwitchParameter>

Enables CredSSP without first prompting the user.

Aliases

None

Required?

false

Position

named

Default value

None

Accept pipeline input?

false

Accept wildcard characters?

false

-Role <String>

Accepts one of two possible values: Client or Server. These values specify whether CredSSP should be enabled as a client or as a server.

If the Role parameter specifies Client, the cmdlet performs the following:

- Enables CredSSP on the client. The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.

- Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

- Note: These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

If the Role parameter specifies the Server, the cmdlet performs the following:

- Enables CredSSP on the server. The WS-Management setting <localhost|computername>\Service\Auth\CredSSP is set to true.

- Note: This policy setting allows the server to act as a delegate for clients.

Aliases

None

Required?

true

Position

1

Default value

None

Accept pipeline input?

false

Accept wildcard characters?

false

Input Type

None

Return Type

System.Xml.XmlElement

Notes

None

Examples

-------------------------- EXAMPLE 1 --------------------------

This command allows the client credentials to be delegated to the server02 computer.

PS C:\>enable-wsmancredssp -role client -delegatecomputer server02.accounting.fabrikam.com
cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

-------------------------- EXAMPLE 2 --------------------------

This command allows the client credentials to be delegated to all the computers in the accounting.fabrikam.com domain.

PS C:\>enable-wsmancredssp -role client -delegatecomputer *.accounting.fabrikam.com
cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

-------------------------- EXAMPLE 3 --------------------------

This command allows the client credentials to be delegated to multiple computers.

PS C:\>enable-wsmancredssp -role client -delegatecomputer server02.accounting.fabrikam.com, server03.accounting.fabrikam.com, server04.accounting.fabrikam.com
cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

-------------------------- EXAMPLE 4 --------------------------

This command allows a computer to act as a delegate for another. The Enable-WSManCredSSP cmdlet (shown in the earlier examples) only enables CredSSP authentication on the client, and specifies the remote computers that can act on it's behalf. In order for the remote computer to act as a delegate for the client, the CredSSP item in the Service node of WSMan must be set to true. This example sets the the CredSSP item in the Service node of WSMan to true.

PS C:\>enable-wsmancredssp -role server

-------------------------- EXAMPLE 5 --------------------------

This command allows a computer to act as a delegate for another computer. The Enable-WSManCredSSP commands that are shown in the earlier examples enable CredSSP authentication only on the client computer, and they specify the remote computers that can act on behalf of the client computer. For the remote computer to act as a delegate for the client computer, the CredSSP item in the Service directory of the WSMan provider must be set to true.

In this example, the first command creates a connection to the remote server02 computer.

The second command sets the credSSP value on the remote server02 computer, which allows the remote computer to act as a delegate.

PS C:\>connect-wsman server02
set-item wsman:\server02\service\auth\credSSP -value $true

Online Version
Connect-WSMan
Disable-WSManCredSSP
Disconnect-WSMan
Get-WSManCredSSP
Get-WSManInstance
Invoke-WSManAction
New-WSManInstance
New-WSManSessionOption
Remove-WSManInstance
Set-WSManInstance
Set-WSManQuickConfig
Test-WSMan