locked
PS Remoting: Client Certificate-based authentication stopped working RRS feed

  • Question

  • Client Certificate-based authentication is working for connections to one of my computers, but not the other. Clearing and recreating WSMan settings hasn't helped. To attempt to trace the issue, I log both computers as they attempt to connect to themselves (attached below). However, I still can't pinpoint the issue. I'd appreciate insights on better tracing the issue, or even a solution.

    Background: I recently renamed a computer and updated all my CA, server, and client TLS certificates. Client Certificate-based authentication continues to work on all computers except the one I renamed: I get an 'access denied' error when I attempt to connect to it.

    PS C:\Users\luism\Downloads> Enter-PSSession -ComputerName kitchen
    Enter-PSSession : Connecting to remote server kitchen failed with the following error message : The WinRM client cannot process the request. The destination computer (kitchen:5986) returned
    an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination computer
    are joined to a domain. Possible authentication mechanisms reported by server:     Negotiate   ClientCerts For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession -ComputerName kitchen
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (kitchen:String) [Enter-PSSession], PSRemotingTransportException
        + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    Connecting to another computer, however, works fine.

    PS C:\Users\luism\Downloads> Enter-PSSession -ComputerName lmm-notebook
    [lmm-notebook]: PS C:\Users\luism\OneDrive\Documents>

    My profile sets a default parameter value for -CertificateThumbprint

    $ClientCertificate = Get-ChildItem -Path Cert:\CurrentUser\My -Eku 'Client Authentication' | ? { $_.Subject -eq ('CN={0}' -f [System.Environment]::UserName) } | Select-Object -First 1
    if ($ClientCertificate) {
        'Enter','Connect','New' | % {
            $_ = $_,'PSSession' -join '-'
            $PSDefaultParameterValues[($_,'UseSSL' -join ':')] = $true
            $PSDefaultParameterValues[($_,'CertificateThumbprint' -join ':')] = $ClientCertificate.Thumbprint
        }
    }

    so my environment shows

    PS C:\Users\luism\Downloads> $PSDefaultParameterValues | Format-Table -AutoSize
    Name                                    Value
    ----                                    -----
    Connect-PSSession:UseSSL                True
    New-PSSession:UseSSL                    True
    Enter-PSSession:UseSSL                  True
    Enter-PSSession:CertificateThumbprint   3A290DFD00256A174602059096FBB2C5F608E7D6
    Connect-PSSession:CertificateThumbprint 3A290DFD00256A174602059096FBB2C5F608E7D6
    New-PSSession:CertificateThumbprint     3A290DFD00256A174602059096FBB2C5F608E7D6
    
    PS C:\Users\luism\Downloads> $ClientCertificate | Format-List -Property *
    PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\3A290DFD00256A174602059096FBB2C5F608E7D6
    PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
    PSChildName              : 3A290DFD00256A174602059096FBB2C5F608E7D6
    PSDrive                  : Cert
    PSProvider               : Microsoft.PowerShell.Security\Certificate
    PSIsContainer            : False
    EnhancedKeyUsageList     : {Any Purpose (2.5.29.37.0), Client Authentication (1.3.6.1.5.5.7.3.2)}
    DnsNameList              : {luism}
    SendAsTrustedIssuer      : False
    EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    PolicyId                 :
    Archived                 : False
    Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
    FriendlyName             :
    IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter                 : 12/1/2027 12:00:00 AM
    NotBefore                : 12/1/2017 12:00:00 AM
    HasPrivateKey            : True
    PrivateKey               :
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
    RawData                  : {48, 130, 3, 76...}
    SerialNumber             : 667414D0DFF2E79C4E5C15C520D30B01
    SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm       : System.Security.Cryptography.Oid
    Thumbprint               : 3A290DFD00256A174602059096FBB2C5F608E7D6
    Version                  : 3
    Handle                   : 2338111615376
    Issuer                   : CN=CustomRootCA
    Subject                  : CN=luism

    Regular TLS connection to the bad computer works

    PS C:\Users\luism> Enter-PSSession -ComputerName kitchen -UseSSL -Credential luism
    [kitchen]: PS C:\Users\luism\OneDrive\Documents>
    so its server certificate works.

    Tracing: With Enable-PSWSManCombinedTrace, I tried logging New-PSSession on computers connecting to themselves to spot a difference between success and failure. Both logs look the same until the first authentication attempt. On the failure log,

       ProviderName: Microsoft-Windows-WinRM
    
    12/17/2017 4:18:35 AM          787 Information      Sending the request for operation CreateShell to destination machine and port kitchen:5986
    12/17/2017 4:18:35 AM         1297 Information      Authenticating the user using Client certificate mechanism
    12/17/2017 4:18:35 AM         1048 Error            Sending HTTP error back to the client due to a transport failure.
                                                        The HTTP status code is 503
                                                        The error code is 995
    12/17/2017 4:18:35 AM         1294 Error            Sending HTTP 401 response to the client and disconnect the connection after sending the response
    12/17/2017 4:18:35 AM         1047 Error            Received the response from Network layer; status: 401 (HTTP_STATUS_DENIED)
    12/17/2017 4:18:35 AM          254 Information      Activity Transfer
    12/17/2017 4:18:35 AM          164 Error            The destination computer (kitchen) returned an 'access denied' error. Verify your credentials are correct.
    12/17/2017 4:18:35 AM         1840 Error            An error was encountered while processing an operation.
                                                        Error Code: 5
                                                        Error String:<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="kitchen"><f:Message>The WinRM
                                                        client cannot process the request. The destination computer (kitchen:5986) returned an &apos;access denied&apos; error. Specify one of the
                                                        authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination
                                                        computer are joined to a domain. Possible authentication mechanisms reported by server:     Negotiate   ClientCerts
                                                        </f:Message></f:WSManFault>
    12/17/2017 4:18:35 AM          255 Information      Activity Transfer
    12/17/2017 4:18:35 AM          255 Information      Activity Transfer
    12/17/2017 4:18:35 AM          142 Error            WSMan operation CreateShell failed, error code 5

    On the log of success,

       ProviderName: Microsoft-Windows-WinRM
    
    12/17/2017 1:15:13 AM          787 Information      Sending the request for operation CreateShell to destination machine and port lmm-notebook:5986
    12/17/2017 1:15:13 AM         1297 Information      Authenticating the user using Client certificate mechanism
    12/17/2017 1:15:13 AM         1048 Error            Sending HTTP error back to the client due to a transport failure.
                                                        The HTTP status code is 503
                                                        The error code is 995
    12/17/2017 1:15:13 AM         1296 Information      The authentication using client certificate with subject luism@localhost done successfully
    12/17/2017 1:15:13 AM         1536 Information      Authorizing the user
    12/17/2017 1:15:13 AM         1537 Information      The authorization of the user was done successfully

    The bad computer has the line

    12/17/2017 4:18:35 AM         1294 Error            Sending HTTP 401 response to the client and disconnect the connection after sending the response

    where a good one has the line

    12/17/2017 1:15:13 AM         1296 Information      The authentication using client certificate with subject luism@localhost done successfully

    The bad computer fails to mention the subject on the client certificate, so I'm not sure it's actually getting it.

    To try to trace TLS, I reran the above while logging Schannel Events. On the good computer

       ProviderName: Schannel
    
    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    12/18/2017 4:05:12 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:12 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae18fc40
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:12 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae15c860
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:12 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:12 AM        36868 Information      The TLS client credential's private key has the following properties:
    
                                                           CSP name: Microsoft Software Key Storage Provider
                                                           CSP type: 0
                                                           Key name: te-08925c69-4f1c-4608-83b2-c38133a81fea
                                                           Key Type: N/A
                                                           Key Flags: 0x0
    
                                                         The attached data contains the certificate.
    12/18/2017 4:05:12 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190840
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:12 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae15cda0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:12 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190840
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name: CN=luism
    12/18/2017 4:05:12 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae15cda0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name: CN=luism
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190440
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae163a00
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:13 AM        36868 Information      The TLS client credential's private key has the following properties:
    
                                                           CSP name: Microsoft Software Key Storage Provider
                                                           CSP type: 0
                                                           Key name: te-08925c69-4f1c-4608-83b2-c38133a81fea
                                                           Key Type: N/A
                                                           Key Flags: 0x0
    
                                                         The attached data contains the certificate.
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae18f040
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae15cbc0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae18f040
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name: CN=luism
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae15cbc0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name: CN=luism
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190440
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae165530
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:05:13 AM        36868 Information      The TLS client credential's private key has the following properties:
    
                                                           CSP name: Microsoft Software Key Storage Provider
                                                           CSP type: 0
                                                           Key name: te-08925c69-4f1c-4608-83b2-c38133a81fea
                                                           Key Type: N/A
                                                           Key Flags: 0x0
    
                                                         The attached data contains the certificate.
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190440
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name:
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae1623e0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=lmm-notebook
    12/18/2017 4:05:13 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae190440
                                                           Target name:
                                                           Local certificate subject name: CN=lmm-notebook
                                                           Remote certificate subject name: CN=luism
    12/18/2017 4:05:13 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x24fae1623e0
                                                           Target name: lmm-notebook
                                                           Local certificate subject name: CN=luism
                                                           Remote certificate subject name: CN=lmm-notebook
    whereas the bad computer has a shorter log
       ProviderName: Schannel
    
    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    12/18/2017 4:40:06 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:40:06 AM        36867 Information      Creating a TLS server credential.
    12/18/2017 4:40:06 AM        36868 Information      The TLS server credential's private key has the following properties:
    
                                                           CSP name: Microsoft Software Key Storage Provider
                                                           CSP type: 0
                                                           Key name: te-fb3325a1-c3e0-413f-bf88-652d7d656bf3
                                                           Key Type: N/A
                                                           Key Flags: 0x20
    
                                                         The attached data contains the certificate.
    12/18/2017 4:40:06 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b56f5040
                                                           Target name:
                                                           Local certificate subject name: CN=kitchen
                                                           Remote certificate subject name:
    12/18/2017 4:40:06 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b576d7b0
                                                           Target name: kitchen
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=kitchen
    12/18/2017 4:40:06 AM        36867 Information      Creating a TLS client credential.
    12/18/2017 4:40:06 AM        36868 Information      The TLS client credential's private key has the following properties:
    
                                                           CSP name: Microsoft Software Key Storage Provider
                                                           CSP type: 0
                                                           Key name: {7301A0AF-D071-40F7-BA3E-6A4C64C459D8}
                                                           Key Type: N/A
                                                           Key Flags: 0x0
    
                                                         The attached data contains the certificate.
    12/18/2017 4:40:06 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b56f5c40
                                                           Target name:
                                                           Local certificate subject name: CN=kitchen
                                                           Remote certificate subject name:
    12/18/2017 4:40:06 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b54e76e0
                                                           Target name: kitchen
                                                           Local certificate subject name:
                                                           Remote certificate subject name: CN=kitchen
    12/18/2017 4:40:06 AM        36880 Information      A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b56f5c40
                                                           Target name:
                                                           Local certificate subject name: CN=kitchen
                                                           Remote certificate subject name: CN=luism
    12/18/2017 4:40:06 AM        36880 Information      A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
    
                                                           Protocol version: TLS 1.2
                                                           CipherSuite: 0xC030
                                                           Exchange strength: 255 bits
                                                           Context handle: 0x184b54e76e0
                                                           Target name: kitchen
                                                           Local certificate subject name: CN=luism
                                                           Remote certificate subject name: CN=kitchen

    Does any know what else I can do?

    Tuesday, December 19, 2017 1:06 AM

All replies

  • You will have to reset the certificate used by the computer and the remoting system.  It sounds like it is using the old cert.  Be sure DNS and AD are not still using the old name.

    Unfortunately this is not a break/fix help desk.  You issue is a system configuration issue and not a scripting issue.


    \_(ツ)_/

    Tuesday, December 19, 2017 1:30 AM
  • The server certificates on all systems are new and working. As written above, when connecting to the bad computer over TLS/SSL

    PS C:\Users\luism> Enter-PSSession -ComputerName kitchen -UseSSL -Credential luism
    [kitchen]: PS C:\Users\luism\OneDrive\Documents>

    the connection succeeds. It fails when I try to use the client certificate. Of course, connecting to the good computer with this client certificate just works, so the issue isn't the certificates. To be sure, here are certificate outputs.

    Bad computer's server certificate

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                1d:80:68:b9:86:52:4f:9c:41:b0:c6:fa:b6:e3:28:10
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=CustomRootCA
            Validity
                Not Before: Dec  1 05:00:00 2017 GMT
                Not After : Dec  1 05:00:00 2027 GMT
            Subject: CN=kitchen
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication, TLS Web Server Authentication
                X509v3 Subject Alternative Name:
                    DNS:kitchen
                X509v3 Authority Key Identifier:
                    keyid:37:23:68:47:66:09:AA:FC:66:69:8D:7A:68:75:03:D6:76:2D:07:1A
                X509v3 Subject Key Identifier:
                    4B:5C:6B:F7:30:6F:2C:3D:E3:4C:0B:E4:15:FC:CA:A0:52:9F:52:08
        Signature Algorithm: sha256WithRSAEncryption
    SHA1 Fingerprint=76:D9:68:1C:CE:25:54:09:3F:AE:68:DA:A2:62:3B:10:C6:66:84:A1

    Good computer's server certificate

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                33:69:a1:30:55:57:3a:bc:4c:8a:1d:8f:cc:bc:c6:91
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=CustomRootCA
            Validity
                Not Before: Dec  1 05:00:00 2017 GMT
                Not After : Dec  1 05:00:00 2027 GMT
            Subject: CN=lmm-notebook
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication, TLS Web Server Authentication
                X509v3 Subject Alternative Name:
                    DNS:lmm-notebook
                X509v3 Authority Key Identifier:
                    keyid:37:23:68:47:66:09:AA:FC:66:69:8D:7A:68:75:03:D6:76:2D:07:1A
    
                X509v3 Subject Key Identifier:
                    76:46:32:26:F8:5F:33:BA:E7:29:8C:91:88:4C:43:FD:A1:1C:8B:DB
        Signature Algorithm: sha256WithRSAEncryption
    SHA1 Fingerprint=61:AE:55:8C:5B:F1:87:1C:DC:1B:B3:C5:64:2C:65:1E:B8:D7:90:6D

    Client certificate

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                66:74:14:d0:df:f2:e7:9c:4e:5c:15:c5:20:d3:0b:01
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=CustomRootCA
            Validity
                Not Before: Dec  1 05:00:00 2017 GMT
                Not After : Dec  1 05:00:00 2027 GMT
            Subject: CN=luism
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage:
                    Any Extended Key Usage, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    othername:Principal Name=luism@localhost
                X509v3 Authority Key Identifier:
                    keyid:37:23:68:47:66:09:AA:FC:66:69:8D:7A:68:75:03:D6:76:2D:07:1A
                X509v3 Subject Key Identifier:
                    50:68:2B:0A:F2:52:8B:6F:C3:97:14:BA:77:F0:D6:34:7D:EE:72:D9
        Signature Algorithm: sha256WithRSAEncryption
    SHA1 Fingerprint=3A:29:0D:FD:00:25:6A:17:46:02:05:90:96:FB:B2:C5:F6:08:E7:D6

    Issuer's (Root CA) certificate

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                4d:7f:aa:3f:7b:b7:8b:bd:40:66:13:5a:e2:8a:48:74
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=CustomRootCA
            Validity
                Not Before: Dec  1 05:00:00 2017 GMT
                Not After : Dec  1 05:00:00 2027 GMT
            Subject: CN=CustomRootCA
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Subject Key Identifier:
                    37:23:68:47:66:09:AA:FC:66:69:8D:7A:68:75:03:D6:76:2D:07:1A
        Signature Algorithm: sha256WithRSAEncryption
    SHA1 Fingerprint=79:46:DF:6D:CD:A8:27:2E:CC:6A:BF:69:50:3E:FF:52:60:CF:91:27

    They're all active, their names match, and their extensions meet requirements for PS Remoting/WinRM.

    I'm not using AD.

    DNS is using current names.

    I thought the PowerShell forum would be the best place to bring this issue about PS Remoting. Where is the best place to take this?


    • Edited by Luis Marsano Tuesday, December 19, 2017 7:39 AM fingerprints
    Tuesday, December 19, 2017 4:10 AM
  • Again.  This is not a scripting issue. It is a configuration issue.

    \_(ツ)_/

    Tuesday, December 19, 2017 4:38 AM
  • Where does it say the PowerShell forums are only for scripting?

    I'm trying to configure PowerShell Remoting, which is a feature of PowerShell, so it's a PowerShell question.

    Therefore, this looks like the right place.

    Otherwise, where else would it go?

    Tuesday, December 19, 2017 6:28 AM
  • You have to install the correct cert on the remote and be sure the remote system can validate the certificate.  After a system rename a new cert must reflect the name of the cert. It must also be able  to validate the client cert. 

    winrm enumerate winrm/config/service/CertMapping

    Start here for help with setting up mapping: https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx


    \_(ツ)_/

    Tuesday, December 19, 2017 6:41 AM
  • Thanks for looking at this.

    The bad computer (remote computer that fails at client certificate-based authentication) already has the correct server certificate, can validate it (-UseSSL works on loopback connections with other credentials), and is configured to validate the client certificate.

    Some output to show that (compare to the certificates above by fingerprint/thumbprint)

    PS C:\Users\luism> Enter-PSSession -ComputerName kitchen -UseSSL -Credential $Cred
    [kitchen]: PS C:\Users\luism\OneDrive\Documents> [System.Net.Dns]::GetHostName()
    kitchen
    [kitchen]: PS C:\Users\luism\OneDrive\Documents> Get-ChildItem -Path WSMan:\localhost\ClientCertificate\ | Get-ChildItem
       WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_599922967
    
    Type            Name                           SourceOfValue   Value
    ----            ----                           -------------   -----
    System.String   URI                                            *
    System.String   Subject                                        luism@localhost
    System.String   Issuer                                         7946DF6DCDA8272ECC6ABF69503EFF5260CF9127
    System.String   UserName                                       luism
    System.String   Enabled                                        true
    System.String   Password
    
    
    [kitchen]: PS C:\Users\luism\OneDrive\Documents> Get-Item -Path Cert:\LocalMachine\Root\7946DF6DCDA8272ECC6ABF69503EFF5260CF9127
       PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
    
    Thumbprint                                Subject
    ----------                                -------
    7946DF6DCDA8272ECC6ABF69503EFF5260CF9127  CN=CustomRootCA
    
    
    [kitchen]: PS C:\Users\luism\OneDrive\Documents> Get-Item -Path Cert:\LocalMachine\TrustedPeople\3A290DFD00256A174602059096FBB2C5F608E7D6
       PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople
    
    Thumbprint                                Subject
    ----------                                -------
    3A290DFD00256A174602059096FBB2C5F608E7D6  CN=luism
    
    
    [kitchen]: PS C:\Users\luism\OneDrive\Documents> Get-Item -Path Cert:\LocalMachine\My\76D9681CCE2554093FAE68DAA2623B10C66684A1
       PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
    
    Thumbprint                                Subject
    ----------                                -------
    76D9681CCE2554093FAE68DAA2623B10C66684A1  CN=kitchen
    Despite this, access is denied. Please keep the ideas coming.
    • Edited by Luis Marsano Tuesday, December 19, 2017 7:41 AM cleaner output
    Tuesday, December 19, 2017 7:35 AM