我需要使用 credSSP 身份验证从服务器 A 到 B 打开 Powershell 远程会话。但是,服务器 A 无法解析 B 的名称。A 上启用了 CredSSP 以将凭据(在“允许委派新凭据”中启用了 WSMAN/xxx.xxx.xxx.xxx)传递给 B,B 配置为接收委派凭据。是否有可能以某种方式使用 IP 地址而不是主机名/FQDN 打开 credssp?
PS C:\Windows\system32> New-PSSession xxx.xxx.xxx.xxx -Authentication Credssp -Credential user
New-PSSession : [xxx.xxx.xxx.xxx] Connecting to remote server xxx.xxx.xxx.xxx failed with the following error message : The WinRM c
lient cannot process the request. A computer policy does not allow the delegation of the user credentials to the target
computer because the computer is not trusted. The identity of the target computer can be verified if you configure the
WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThu
mbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could no
t be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the
SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow
the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Comput
er Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-o
nly Server Authentication. Verify that it is enabled and configured with an SPN appropriate for the target computer. F
or example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domai
n.com or WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Trou
bleshooting Help topic.
At line:1 char:1
+ New-PSSession xxx.xxx.xxx.xxx -Authentication Credssp -Credential user
答案1
“credssp”需要组策略“AllowFreshCredentials”中的 SPN 设置
“必须在 WinRM 客户端上启用允许委派新凭据 (AllowFreshCredentials) 策略设置,并且必须将具有 WSMAN 前缀的服务主体名称 (SPN) 添加到策略中。”
https://msdn.microsoft.com/en-us/library/ee309365%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
SPN 的语法需要 FQDN 或 NetBIOS 名称而不是 IP 地址。
https://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx