Join Log in
Score:0
ŁukaszD avatar Server

Can't config certificate-based authentication in WinRM / WSMan

id flag
ŁukaszD

I'm trying to configure certificate-based authentication in WinRM. I need this to source-initiated subscription of WEF from non-domain machine. I use manual published by MS: https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription My environment - I have 2 servers:

  • wef01.mydomain.local (this is machine which will send events; it is not joined to AD)
  • wec01.mydomain.local (this is my Events Collector; it is joined to AD)

Both machines runs Windows Server 2019 std. I also have own PKI:

  • RootCA.mydomain.local
  • IssuingCA.mydomain.local I have configured WinRM on wef01 and wec01 I have created local user account on wec01 machine named wef01. For debugging purposes I added this user to local Administrators group. I've checked that I can login (interactively i through RDP) to wec01 using this account. On server wec01 I've mapped certificate issued for machine wef01 to local account wef01:
$UserName = 'wef01'
$UserPassword = (ConvertTo-SecureString -String '*********' -AsPlainText -Force)
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $UserPassword
$params = @{
    Path = 'WSMan:\localhost\ClientCertificate'
    Subject = "wef01.mydomain.local"
    URI = '*'
    Issuer = "716A23DA41C9CF0DB9F5D35E2CF187A5A53F844F" #My PKI RootCA Cert thumbprint
    Credential = $credential
    Force = $true
}
New-Item @params

After all configuration staeps I checked whether I can open WinRM session using username/password authentication:

$UserName = 'wef01'
$UserPassword = (ConvertTo-SecureString -String '*********' -AsPlainText -Force)
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $UserPassword
Enter-PSSession wec01.mydomain.local -UseSSL -Credential $credential
[wec01.mydomain.local]: PS C:\Users\wef01\Documents>

Yes, I can, but attempt with certificate-based authentication failed:

Enter-PSSession wec01.mydomain.local -UseSSL -CertificateThumbprint $Thumbprint 
Enter-PSSession : Connecting to remote server wec01.mydomain.local failed with the following error message : WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (12186) is: The client certificate credentials were not recognized. . For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession wec01.mydomain.local -UseSSL -CertificateThumbprint ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (wec01.mydomain.local:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

$Thumbprint variable contains thumbprint of certificate issued for wef01 machine for purpose of authentication. This certificate is installed in LocalMachine\my store, has EnhancedKeyUsage set to Client Authentication and subjectAltName set to DNS Name=wec01.mydomain.local I checked many other websites about configuring certificate-based authentication in WinRM but I didn't find solution. Have anybody an idea what I did wrong? Best regards Lukid

170
0 + 2
cn flag
Greg Askew
I don't see anything about the steps performed for validating the root/intermediate CA on the client, and also the validation of the certificate revocation list from the client. What has been done for that? "Verify that both the server and client are able to successfully check revocation status on all certificates."
0
Reply
ŁukaszD avatar
id flag
ŁukaszD
@GregAskew You are right - source of problem was CRLs validation - after I changed CDPs and AIAs to http-based only (it was LDAP-based) and made sure (Test-Certificate) that certificate validation works correctly my problem disappeared
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.