We are attempting to use CredSSP authentication for multi-hop PowerShell remoting, and one of our clients is running into a snag that prevents them from creating PSSessions using CredSSP when specifying the FQDN of the target server. Both server and client are joined to the same domain, and there's nothing fancy going on with disjoint namespaces.
In the course of debugging, we've opened up all of the related security options we can think of; in specific:
- We've enabled the GP settings to Allow Delegating Fresh Credentials (standard and 'With NTLM only') with the wildcard SPN wsman/*
- We've enabled the WSMan Trusted Hosts setting with *.domain.com
- We've (of course) enabled WSMan for CredSSP on the server and the client
- We've set the LocalAccountTokenFilterPolicy on the server
With all those settings opened up, here's what we get when trying different authentication methods for PSSessions:
- Using Kerberos for delegation with explicit domain credentials works fine.
- Using Negotiate for delegation with explicit domain credentials works fine.
- Using CredSSP for delegation:
- Using domain credentials, connecting to the FQDN of the server, fails with the error There are currently no logon servers available to service the logon request
- Using domain credentials, connecting to just the hostname of the server, fails with the same error
- Using credentials for a local account on the server (thus forcing NTLM for server identity verification, I believe), connecting to the FQDN of the server, works fine
- Using domain credentials, connecting to the IP address of the server (thus forcing NTLM for server identity verification), works fine
So, in short, CredSSP works as long as we're using NTLM for server authentication and fails when we use Kerberos, but Kerberos definitely works fine if we're using Kerberos for delegation as well. How is that possible, and what can we do to make it so that CredSSP+Kerberos works?
