Add support for Double hop authentication in WinRM #78
Comments
|
Hi Neerav, FYI: I plan to implement #12 very soon now. The downside is that it will only work for Windows clients though... Regards, Vincent. |
|
Hi Vincent, I would have loved it as Java implementation using wsman as we have Linux Clients. Do you have any reference material pointing out the wsman wsdl file where I can try to set the values of CredSSP to true? Thanks, |
|
Hi Neerav, The Microsoft specification you need is [MS-CSSP] - Credential Security Support Provider (CredSSP) Protocol and you should be able to find it somewhere on the Microsoft Open Specifications site. I've read it, together with @gschueler who was seeing if he could implement it, but it was pretty complex. The problem is that the credentials should be passed in the SSL layer of the HTTPS connection which is a lot harder than in the original SOAP message. I had also expected the latter to be the case and that wouldn't be so hard. It seems this, and Kerberos encryption, are pretty tricky to implement. :-( Regards, Vincent. |
|
Hi Folks, T. |
|
We're not actively working on this feature right now. The WINRM_NATIVE connection type does support this, but of course that only works if your Overthere client is running on a Windows box. Regards, Vincent. |
Hi,
I am testing a SQL Server DB deploy in my dev environment.
Locally on my windows SQL server I can run a command "DatabaseDeployment.exe dev21 /coe" and it works correctly (as my credentials).
However when I run it via overthere, I get the the following error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The db deploy tool connects to the DB using windows integrated authentication.
So it seems like overthere is not passing on my credentials to the SQL deployment tool.
Per this article (http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx) winrs allows me to remotely execute a cmd.exe command on a windows server.
So I have server A and server B. CredSSP is disabled on both servers in winrm config. I run a exe on server b that access a remote resource (DB, Share, etc) and it work just fine.
I then run the following command on server A : winrs -remote:server B "something.exe". This fails as the something.exe does not have my credentials that I am using on server A.
I then run the following command on server A to pass in my credentials: winrs -remote:server B -allowdelegate -user:username -password:pass "something.exe". This fails because CredSSP is disabled.
I thin edit the winrm config on both servers and enable CredSSP. Now the second command works.
CredSSP allows "Multi-Hop" support. It allows winrm to delegate the credentials to multiple computers. So when my exe is access a remote resource, my credentials are being passed to that remote resource.
However all this works good with winrs, however in our case server1 is linux box and we using WinRM with wsman.
Can the support be added soon?
Thanks,
Neerav Vadodaria
The text was updated successfully, but these errors were encountered: