PowerShell, Remoting, Scripting
comments 3

Test-WSManCredSSP: Check if a remote computer has WSMan CredSSP enabled

Update: This script won’t work against Windows 2003 or Windows XP systems. There is no CredSSP support on this and hence the WSMan:\<ComputerName>\Client\Auth\CredSSP or WSMan:\<computerName>\Service\Auth\CredSSP won’t resolve. You can use -ErrorAction SilentlyContinue along with Get-Item cmdlet when reading these values, if you don’t want to see an error. Thanks to @dfinke for reporting this.

I’ve published a free book on PowerShell 2.0 remoting. You can download it at:

[download id=”22″ format=”4″]

When using PowerShell remoting, WSMan CredSSP is a requirement if there are multiple hops involved in the remoting scenario. When using remoting in an automation scenario, it becomes very important to know if the remote computer has CredSSP enabled or not. PowerShell v2 provides a cmdlet — Get-WSManCredSSP that tells you if CredSSP client or server  roles are enabled on the local computer. Make a note, I said “local computer”. This cmdlet, unfortunately, does not have a -ComputerName parameter.

You may get a question, why not use Invoke-Command and run this cmdlet on the remote machine? Yes, we can do that. But, only if the remote computer has CredSSP enabled. Catch 22, isn’t it? Check the screen capture below.

Get-WSManCredSSP

Get-WSManCredSSP

Again, the output of this cmdlet — Get-WSManCredSSP — isn’t very friendly. I mean, we have to parse it to know if CredSSP is enabled or not and then to know what roles. So, this prompted me to write what you see below — Test-WSManCredSSP.

To use this script, you need to have WinRM & Remote registry services running on the remote computer.

What I do in this script is pretty simple:

  1. Check the value of WSMAN:\<ComputerName>\Service\Auth\CredSSP. If this is “true”, Server role is enabled.
  2. Check the value of WSMAN:\<ComputerName>\Client\Auth\CredSSP.
  3. Check the value of AllowFreshCredentials registry value.

If 2 is “true” and 3 is “1”, you can be sure that CredSSP client role is enabled.

In fact, I got the clue of the above steps (1 & 2) from Get-WSManCredSSP help text and @alexandair helped me figure-out the registry path in step 3. Step 3 requires remote registry service to be running.If that service is not running on the remote computer, you will see the value set to “error“.

Also, you will see the value of “AllowFreshCredentials” set to NA,

  1. if WSMAN:\<ComputerName>\Client\Auth\CredSSP is “false”
  2. if WSMAN:\<ComputerName>\Client\Auth\CredSSP is “true” but the registry key (HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation) is not found.

Else, you will see either 0 or 1 as the value of AllowFreshCredentials value.

How you use this is also pretty simple:

Just run Test-WSManCredSSP on the local system to see what roles are enabled and Test-WSManCredSSP -ComputerName Server1, Server2 to see what roles are enabled on the remote computers. Here is what you see as output:

Test-WSManCredSSP

Test-WSManCredSSP

Now, since the roles and other settings are returned as object properties, you can easily write scripts around this to automate. Hope this helps. Do let me know if you got a better method to do this.

Filed under: PowerShell, Remoting, Scripting

by

Ravikanth is a principal engineer and the lead architect for Microsoft and VMware virtualized and hybrid cloud solutions within the Infrastructure Solutions Group at Dell EMC. He is a multi-year recipient of Microsoft Most Valuable Professional (MVP) award in Windows PowerShell (CDM) and Microsoft Azure. Ravikanth is the author of Windows PowerShell Desired State Configuration Revealed (Apress) and leads Bangalore PowerShell and Bangalore IT Pro user groups. He can be seen speaking regularly at local user group events and conferences in India and abroad.