16

PowerShell web access lets you choose the authentication type. By default, it uses a value of Default, which ends up being Negotiate. I have set up CredSSP to allow logging into the PSWA server itself with CredSSP, so that network authentication works from within the session (avoids a double hop issue, without delegating credentials all over the network).

Anyway, I want CredSSP to be the default option on the sign-in page.

Looking into the configuration options for the PSWA web app in IIS, there are several values that can be set to override the defaults.

One of them is called defaultAuthenticationType which is a string but is set to 0.

This seems like the right setting, but I can't get it to work.

If I inspect the sign in web page I can see that the select box has the following values:

0   Default
1   Basic
2   Negotiate
4   CredSSP
5   Digest
6   Kerberos

3 is missing.

JosefZ found that 3 is NegotiateWithImplicitCredential according to this page, but on Windows PowerShell 5.1.15063.966 for me that name/value is missing from the enum.

If I set defaultAuthenticationType to a number, then the web page defaults to a new option:

7   Admin Specified

I have tried 3 and 4, but neither one works. The login happens using Kerberos, and CredSSP is not used.

If I select CredSSP manually it works as expected.

If I set defaultAuthentcationType to a string like CredSSP, no Admin Specified option appears and it just defaults to Default again, and still Kerberos authentication is used.

Has anyone been able to successfully set this? Web results have been very lacking.

Improve this question
9
  • Did you also update the logon.aspx page to select the CredSSP option by default?
    – Persistent13
    Jun 29, 2016 at 15:09
  • @Persistent13 no I didn't touch that page. I suppose that would work, and I might resort to it, but it's clearly a hack. I wanted something supported and repeatable. I'm actually installing and configuring this almost completely through DSC, and I don't want to have to write janky script resources to change that value in logon.aspx. It's a good suggestion for sure though.
    – briantist
    Jun 29, 2016 at 15:11
  • For DSC I'd recommend writing your own resource or use the script resource to update logon.aspx using a combination of Get-Content, -replace, and Set-Content as it would be more repeatable.
    – Persistent13
    Jun 29, 2016 at 15:27
  • @Persistent13 yeah, it's doable. I just think it's clear that the intent was to support changing this value in the config, it's just not working, and writing a resource is heavy-handed for this; for my purposes anyway.
    – briantist
    Jun 29, 2016 at 15:29
  • 1
    [System.Management.Automation.Runspaces.AuthenticationMechanism]:: NegotiateWithImplicitCredential -as [int] see AuthenticationMechanism enum
    – JosefZ
    May 16, 2018 at 21:59

1 Answer 1

Reset to default
0

try following this guide it should get you where you want to go. https://www.petri.com/powershell-web-access-configuration

here is the section you want. 
PowerShell
1
Add-PswaAuthorizationRule : This command must be run by a user account with permissions to perform Active Directory queries.
If you run the command in an interactive (i.e. not via remoting) session on the server it should work just fine. The problem here is the second hop. The Add-PSwaAuthorizationRule cmdlet needs to make a connection to a domain controller, which by security design is not allowed in PowerShell Remoting. This second-hop limitation can be overcome by enabling CredSSP authentication. Note: This is not be done lightly as there are security ramifications, so research this fully before employing.

But in my situation, since I want to use remoting, I’ll exit out of the remote session and enable CredSSP on my desktop for CHI-WEB01.

PowerShell
1
PS C:\> Enable-WSManCredSSP -DelegateComputer chi-web01 -Role Client
Next, I need to enable the server side.

PowerShell
1
PS C:\> invoke-command {enable-wsmancredssp -Role Server -Force} -ComputerName chi-web01
With this in place, I can now re-establish my remote session specifying CredSSP and my credentials.

PowerShell
1
PS C:\> enter-pssession chi-web01 -Authentication Credssp -Credential globomantics\jeff
Now when I run the authorization command, it works as you can see below in Figure 3.
Improve this answer
1
  • 1
    Hi Joshua, I appreciate your answer but unfortunately this doesn't answer the question. I already had CredSSP set up, the issue is in changing the default authentication option in the web interface of PSWA. Everything I did was technically working, it was just a pain to have to choose CredSSP manually on every login when the intent was to always use CredSSP. And PSWA appears to have a setting to control this very thing, yet it doesn't work.
    – briantist
    Nov 26, 2018 at 3:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .