This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This Sets up WinRM Remote PowerShell with delegated authentication for an existing trusted SSL cert | |
######################################################################## | |
################ Do this on the Server | |
######################################################################## | |
#Enable WinRM on a VM - with on-demand certificate creation | |
Function RemotePowerShell { | |
$process = 'cmd.exe' | |
$arguments = '/c winrm invoke restore winrm/config @{}' | |
start-process $process -ArgumentList $arguments -Wait | |
#enable Server Manager Remoting | |
Configure-SMRemoting.exe -enable | |
#Enable WinRM | |
Enable-PSRemoting -SkipNetworkProfileCheck -Force | |
<# Only if you really want to tighten up security, however this can break certain DSC functions which call various things locally on port HTTP | |
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse | |
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse | |
#> | |
$domain = 'domain.com' | |
$Hostname = "{0}$domain" -f '*.' | |
$CertificateThumbprint = (Get-ChildItem Cert:\LocalMachine\My | ? {$_.Subject -match $domain}).Thumbprint; | |
$CommandLine = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$($Hostname)`";CertificateThumbprint=`"$($CertificateThumbprint)`"}"; | |
CMD.EXE /C $CommandLine | |
Set-Item wsman:\localhost\client\trustedhosts * -Force | |
# Enable delegation of credentials | |
Enable-WSManCredSSP -Role Server -Force | |
Restart-Service winrm | |
} | |
Function FirewallRules { | |
################ Firewall Rules | |
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP | |
New-NetFirewallRule -DisplayName "RemotePowerShell" -Direction Inbound –LocalPort 5985-5986 -Protocol TCP -Action Allow | |
} | |
RemotePowerShell | |
FirewallRules | |
######################################################################## | |
################ Do this on the Client to setup delegated authentication | |
######################################################################## | |
Enable-PSRemoting -Force | |
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force | |
$allowed = @('WSMAN/*.domain.com') | |
$TopKey = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' | |
if (!(Test-Path $TopKey)) { | |
md $TopKey | |
} | |
New-ItemProperty -Path $TopKey -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name AllowFreshCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name AllowSavedCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFresh -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFreshNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowSavedNTLMOnly -Value 1 -PropertyType Dword -Force | |
$key = Join-Path $TopKey 'AllowFreshCredentialsWhenNTLMOnly' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
$i = 1 | |
$allowed |% { | |
# Script does not take into account existing entries in this key | |
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force | |
$i++ | |
} | |
$key = Join-Path $TopKey 'AllowSavedCredentialsWhenNTLMOnly' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
$i = 1 | |
$allowed |% { | |
# Script does not take into account existing entries in this key | |
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force | |
$i++ | |
} | |
$key = Join-Path $TopKey 'AllowFreshCredentials' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
# Script does not take into account existing entries in this key | |
$i = 1 | |
New-ItemProperty -Path $key -Name $i -Value 'wsman/*' -PropertyType String -Force | |
Restart-Service WinRM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment