Back in the Windows Vista days, we introduced a new security delegation module called Credential Security Service Provider (CredSSP). This was originally designed to work with Terminal Services because everything in Terminal Services is basically a second hop.

CredSSP 101:

1) On client computer, I need to use the Enable-WSManCredSSP cmdlet to enable the client role and then specify the computer to which I want to delegate my credentials. This command is shown here.

Enable-WSManCredSSP -Role Client -DelegateComputer remoteserver.mydomain.local -Force

2) Now, I also need to make a change on the remote server to permit it to use delegated credentials. This command is shown here.

Enable-WSMaCredSSP -Role Server –Force

3) Always on remote server,

Also: Note: Remoting is turned off by default and you have to run Enable-PSRemoting to turn it on.

PS> Get-PSSessionConfiguration |fl *

If you decide you want to allow others, what you do is run the command:

PS> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI   ; the GUI Appears, add your account you want to allow remote access and check the boxes Read(get,enumerate,suscribe) and Execute(invoke):

Are you sure you want to perform this action?
Performing operation “Set-PSSessionConfiguration” on Target “Name: Microsoft.PowerShell”.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”): y

4) Always on the remote server, stop and start winRM

net stop winrm

net start winrm

5) from the client computer, you can use the following powershell script using credssp:

  1. When making the PS Session, ensure that I use –Authentication CredSSP.
  2. When making the PS Session, ensure that I use the FQDN of the remote server. (This is true because I specified the delegate computer as * If I had specified the delegate computer as, I would not need the FQDN.)

My use CredSSP script is shown here.

$credential = Get-Credential -Credential mydomain\administrator

$session = New-PSSession -cn remoteserver.mydomain.local -Credential $credential -Authentication Credssp

Invoke-Command -Session $session -ScriptBlock { … }

Invoke-Command -Session $session -ScriptBlock { Get-WUHistory }


WinRM troubleshooting:


Finding remote session connected to your computer?
who is running a (hidden) remote PowerShell on your machine? Here’s a simple one-liner:
Get-WSManInstance -ConnectionURI (‘http://{0}:5985/wsman’ -f $env:computername) -ResourceURI shell -Enumerate
It will return anyone connecting via port 5985 to your machine. However, if you’re not running in a domain environment,
you first have to enable non-Kerberos connections
(remember that without Kerberos, you no longer know for sure that the target computer really is the computer it pretends
to be):Set-Item WSMan:\localhost\Client\TrustedHosts * -Force