问题
Server A is Server 2008 R2, Powershell V3 All SSL and TLS enabled and all Ciphers. Server B is Server 2016, Powershell V5 and Only TlS 1.2 and specific set of Ciphers.
I cannot get Credssp authentication to work from A to B, even if I use
Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
i am aware this is a per Session setting so I included in the script itself.
If I set Server B (Server 2016) to turn on all SSL and TLS encryption, CREDSSP works no problem.
And yes i need to use CREDSSP because the script on Server B references a file share back on Server A.
Here is the script I am using, that again, works when all Version of TLS are enabled.
$pass = ConvertTo-SecureString "password" -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue.
Invoke-Command -ComputerName ServerB.domain.edu -command { C:\HelloWorld.ps1 } -Authentication Credssp -Credential $mycred
The one thing I havent tried yet, but I am going to, is put both Server A and B on TLS 1.2 and see if it works that way. This is not a long term solution, because Server A cant be set to only TLS 1.2 at this time.
回答1:
So it looks like the issue was related to the Server 2008 only having The registry entries for the Server subkey of TLS and not the Client subkey of TLS on the SCHANNEL Reg setting. See picture
Once I added the Client Subkey and enabled TLS 1.2 Encryption, it finally started to work.
来源:https://stackoverflow.com/questions/50513033/powershell-credssp-and-tls-1-2