Configuring CredSSP for use with PowerShell in SysKit

Windows Remote Management (WinRM) supports the delegation of user credentials across multiple remote computers. The multi-hop support functionality can use Credential Security Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the user’s credentials from the client computer to the target server.

CredSSP authentication is intended for environments where Kerberos delegation cannot be used. Support for CredSSP was added to allow a user to connect to a remote server and have the ability to access a second-hop machine, such as a SQL Server instance or a Domain Controller.

In some cases, a PowerShell script within SysKit may need to access resources outside the remote server machine. This requires the credentials to be delegated to the target machine.

For example, when the data from SharePoint server are retrieved and a dedicated SQL server instance needs to be accessed or when the data from Active Directory are retrieved and an underlying Domain Controller needs to be accessed.

Use the following cmdlet to enable CredSSP on the client by specifying Client in the Role parameter. It must be executed on the remote computer(s) where SysKit is executing the script.

Enable-WSManCredSSP -Role Client –DelegateComputer *

These settings allow the client to delegate explicit credentials to a server when server authentication is achieved.

Please note! If you want to tighten the security risk, instead of an asterisk, you need to enter the FQDN of the application server where SysKit is installed.

    Use the following cmdlet to enable CredSSP on the server by specifying Server in Role. It must be executed on the application server where SysKit is installed.

    Enable-WSManCredSSP -Role Server

    This policy setting allows the server to act as a delegate for clients.