Wahmans Powershell Blog

Enable-WSManCredSSP

Unlocking the Power of Enable-WSManCredSSP in PowerShell

Welcome back to Wahmans PowerShell Blog! Today we’re diving into a powerful and sometimes misunderstood cmdlet: Enable-WSManCredSSP. This cmdlet is used to enable Credential Security Support Provider (CredSSP) authentication on a computer, allowing credentials to be passed to remote systems—great for double-hop remoting scenarios.

Let’s break it down and explore four useful scenarios where Enable-WSManCredSSP can be your best friend, complete with PowerShell example code.

What is Enable-WSManCredSSP?

This cmdlet activates CredSSP authentication, which allows user credentials to be delegated to a remote computer for authentication. This is handy for remoting scenarios that involve more than one hop (e.g., you remote into server A and want to access server B from there).

⚠️ Security Warning: Only use CredSSP in trusted environments as it can expose credentials in memory.

Example 1: Enable CredSSP for the Client (Beginner)

If you’re remoting from your local client to a remote server and need to use CredSSP, enable it as a client first.

Enable-WSManCredSSP -Role Client -DelegateComputer "server01.domain.local"

This command enables your computer to delegate credentials to server01.domain.local.

Example 2: Enable CredSSP on the Server (Intermediate)

On the machine that you’re connecting to (the server), run this command to allow it to accept credentials via CredSSP:

Enable-WSManCredSSP -Role Server

This sets up the server to accept delegated credentials for further remoting or authentication processes.

Example 3: Making a Double-Hop Remote Call (Advanced)

Once CredSSP is enabled on both client and server, make a remote session with authentication set to CredSSP:

$cred = Get-Credential
Invoke-Command -ComputerName server01.domain.local -Credential $cred -Authentication Credssp -ScriptBlock {
    Get-ChildItem \\file-server\shared
}

This is the classic double-hop scenario where you access file-server from server01 using your local credentials.

Example 4: Scripted Setup via Group Policy (Pro level)

For enterprise scenarios, you can script the setup of WSMan CredSSP across multiple machines using Group Policy and PowerShell together. For example:

$computers = @("server01.domain.local", "server02.domain.local")
foreach ($computer in $computers) {
    Invoke-Command -ComputerName $computer -ScriptBlock {
        Enable-WSManCredSSP -Role Server -Force
    }
    Enable-WSManCredSSP -Role Client -DelegateComputer $computer -Force
}

This ensures all your target computers are both CredSSP-enabled and trusted by your client.

Conclusion

Enable-WSManCredSSP can be a powerful tool in your remoting toolkit, especially in multi-hop authentication scenarios. Always weigh the security implications and use it wisely in secure environments.

Happy scripting, and I will see you in the next post! 🎉

Leave a Reply

Your email address will not be published. Required fields are marked *