# This Sets up WinRM Remote PowerShell with delegated authentication for an existing trusted SSL cert | |
######################################################################## | |
################ Do this on the Server | |
######################################################################## | |
#Enable WinRM on a VM - with on-demand certificate creation | |
Function RemotePowerShell { | |
$process = 'cmd.exe' | |
$arguments = '/c winrm invoke restore winrm/config @{}' | |
start-process $process -ArgumentList $arguments -Wait | |
#enable Server Manager Remoting | |
Configure-SMRemoting.exe -enable | |
#Enable WinRM | |
Enable-PSRemoting -SkipNetworkProfileCheck -Force | |
<# Only if you really want to tighten up security, however this can break certain DSC functions which call various things locally on port HTTP | |
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse | |
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse | |
#> | |
$domain = 'domain.com' | |
$Hostname = "{0}$domain" -f '*.' | |
$CertificateThumbprint = (Get-ChildItem Cert:\LocalMachine\My | ? {$_.Subject -match $domain}).Thumbprint; | |
$CommandLine = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$($Hostname)`";CertificateThumbprint=`"$($CertificateThumbprint)`"}"; | |
CMD.EXE /C $CommandLine | |
Set-Item wsman:\localhost\client\trustedhosts * -Force | |
# Enable delegation of credentials | |
Enable-WSManCredSSP -Role Server -Force | |
Restart-Service winrm | |
} | |
Function FirewallRules { | |
################ Firewall Rules | |
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP | |
New-NetFirewallRule -DisplayName "RemotePowerShell" -Direction Inbound –LocalPort 5985-5986 -Protocol TCP -Action Allow | |
} | |
RemotePowerShell | |
FirewallRules | |
######################################################################## | |
################ Do this on the Client to setup delegated authentication | |
######################################################################## | |
Enable-PSRemoting -Force | |
Enable-WSManCredSSP -Role Client -DelegateComputer * -Force | |
$allowed = @('WSMAN/*.domain.com') | |
$TopKey = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' | |
if (!(Test-Path $TopKey)) { | |
md $TopKey | |
} | |
New-ItemProperty -Path $TopKey -Name AllowFreshCredentials -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name AllowFreshCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name AllowSavedCredentialsWhenNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFresh -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowFreshNTLMOnly -Value 1 -PropertyType Dword -Force | |
New-ItemProperty -Path $TopKey -Name ConcatenateDefaults_AllowSavedNTLMOnly -Value 1 -PropertyType Dword -Force | |
$key = Join-Path $TopKey 'AllowFreshCredentialsWhenNTLMOnly' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
$i = 1 | |
$allowed |% { | |
# Script does not take into account existing entries in this key | |
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force | |
$i++ | |
} | |
$key = Join-Path $TopKey 'AllowSavedCredentialsWhenNTLMOnly' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
$i = 1 | |
$allowed |% { | |
# Script does not take into account existing entries in this key | |
New-ItemProperty -Path $key -Name $i -Value $_ -PropertyType String -Force | |
$i++ | |
} | |
$key = Join-Path $TopKey 'AllowFreshCredentials' | |
if (!(Test-Path $key)) { | |
md $key | |
} | |
# Script does not take into account existing entries in this key | |
$i = 1 | |
New-ItemProperty -Path $key -Name $i -Value 'wsman/*' -PropertyType String -Force | |
Restart-Service WinRM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment