无法在 WinRM/WSMan 中配置基于证书的身份验证

tag-icon tag-icon authentication winrm
无法在 WinRM/WSMan 中配置基于证书的身份验证

我正在尝试在 WinRM 中配置基于证书的身份验证。我需要它来从非域计算机发起 WEF 的源启动订阅。我使用 MS 发布的手册:https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription 我的环境-我有 2 台服务器:

  • wef01.我的域名.本地(这是将发送事件的机器;它未加入 AD)
  • wec01.我的域名.本地(这是我的事件收集器;它已加入 AD)

两台机器都运行 Windows Server 2019 标准版。我也有自己的 PKI:

  • RootCA.mydomain.local
  • 颁发CA.mydomain.local 我已经在wef01wec01 我已经创建了本地用户帐户wec01机器命名wef01。为了调试目的,我将此用户添加到本地管理员组。我已检查是否可以登录(通过 RDP 以交互方式)到wec01使用此帐户。在服务器上wec01我已经映射了为机器颁发的证书wef01到本地帐户wef01
$UserName = 'wef01'
$UserPassword = (ConvertTo-SecureString -String '*********' -AsPlainText -Force)
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $UserPassword
$params = @{
    Path = 'WSMan:\localhost\ClientCertificate'
    Subject = "wef01.mydomain.local"
    URI = '*'
    Issuer = "716A23DA41C9CF0DB9F5D35E2CF187A5A53F844F" #My PKI RootCA Cert thumbprint
    Credential = $credential
    Force = $true
}
New-Item @params

完成所有配置步骤后,我检查了是否可以使用用户名/密码验证打开 WinRM 会话:

$UserName = 'wef01'
$UserPassword = (ConvertTo-SecureString -String '*********' -AsPlainText -Force)
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $UserPassword
Enter-PSSession wec01.mydomain.local -UseSSL -Credential $credential
[wec01.mydomain.local]: PS C:\Users\wef01\Documents>

是的,可以,但是基于证书的身份验证尝试失败:

Enter-PSSession wec01.mydomain.local -UseSSL -CertificateThumbprint $Thumbprint 
Enter-PSSession : Connecting to remote server wec01.mydomain.local failed with the following error message : WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (12186) is: The client certificate credentials were not recognized. . For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession wec01.mydomain.local -UseSSL -CertificateThumbprint ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (wec01.mydomain.local:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

$Thumbprint 变量包含为 wef01 机器颁发的用于身份验证的证书的指纹。此证书安装在 LocalMachine\my store 中,EnhancedKeyUsage 设置为客户端身份验证并将 subjectAltName 设置为DNS 名称 = wec01.mydomain.local 我查看了许多其他关于在 WinRM 中配置基于证书的身份验证的网站,但没有找到解决方案。有人知道我做错了什么吗?谨致问候 Lukid

相关内容