When using PowerShell remoting (Using the Invoke-Command cmdlet for example), an authentication scheme is required.
The options are Kerberos, CredSSP, NTLM and Negotiate.
What is the difference between them? What should I use?
Asked
Active
Viewed 2,214 times
0
iTayb
- 12,373
- 24
- 81
- 135
1 Answers
5
Kerberos
Pros:
- Very secure.
- No need to pass implicit credentials.
Cons:
- Requires a SPN record in the executing user’s domain (registered automatically on the computer’s domain only. If it’s two different domain – the SPN needs to be registered manually).
- Does not support second-hop remoting.
CredSSP
Somewhat secure – the credentials are being passed to the remote server and may be captured there.
Pros:
- Supports second-hop remoting.
Cons:
- Must pass implicit credentials.
- Needs special configuration on both the server & client side.
NTLM
Pros:
- No need to pass implicit credentials.
Cons:
- Not very secure.
- Does not support second-hop remoting.
Negotiate
Tries Kerberos. If fails, fallbacks to NTLM. Sometimes secure, sometimes isn’t.
Pros:
- No need to pass implicit credentials.
Cons:
- Does not support second-hop remoting.
iTayb
- 12,373
- 24
- 81
- 135
-
I think when you write "Implicit" you mean "explicit" – Kirill Chilingarashvili Aug 10 '21 at 18:05
-
Has anyone successfully implemented PowerShell remoting using authentication methods other than password-based, particularly Kerberos? – Chandru Mar 25 '23 at 13:55