PSRP with CredSSP throws 400 Bad Request RRS feed

  • Question

  • Hi,

    I am developing a cross platform winrm client that talks PSRP. It works well with NTLM authentication. I was working on CredSSP authentication and the CredSSP client can talk wsmv messages to open command shell etc. But when the same client sends PSRP encoded messages, it fails from the server with 400 Bad Request. Moreover, the length of the message that I sent was less than 16K and I can send the first message to get config of the wsman service, but I am not able to send the init runspace request. Any help in this regard would be appreciated.

    Below is the logs that I managed to capture from the windows machine.

    1. [0]0358.0364::‎2018‎-‎02‎-‎20 10:59:54.137 [Microsoft-Windows-WinRM]User WINDOWS-E9TID53\administrator authenticated successfully using CredSSP authentication
    2. [0]0358.0364::‎2018‎-‎02‎-‎20 10:59:54.137 [Microsoft-Windows-WinRM]Authorizing the user
    3. [0]0358.0364::‎2018‎-‎02‎-‎20 10:59:54.137 [Microsoft-Windows-WinRM]The authorization of the user was done successfully
    4. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.482 [Microsoft-Windows-WinRM]SOAP [listener receiving index 1 of 1 total chunks (2994 bytes)] <?xml version="1.0" encoding="utf-8" ?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><env:Header><a:To></a:To> <a:ReplyTo><a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> </a:ReplyTo> <w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize> <w:OperationTimeout>PT60S</w:OperationTimeout> <a:MessageID>uuid:79F72314-769A-4C54-B5AD-A174EC78A680</a:MessageID> <p:SessionId mustUnderstand="false">uuid:ADF3F615-79F5-4892-B504-FE43D2760B6E</p:SessionId> <w:Locale mustUnderstand="false" xml:lang="en-US"/><p:DataLocale mustUnderstand="false" xml:lang="en-US"/><a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</a:Action> <w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/config</w:ResourceURI> </env:Header> <env:Body/></env:Envelope>  
    5. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.482 [Microsoft-Windows-WinRM]Processing client request for operation GET
    6. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.482 [Microsoft-Windows-WinRM]Activity Transfer
    7. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.482 [Microsoft-Windows-WinRM]Entering the plugin for operation Get with a ResourceURI of <http://schemas.microsoft.com/wbem/wsman/1/config>
    8. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Plug-in reporting data object for operation GET
    9. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Activity Transfer
    10. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Activity Transfer
    11. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]SOAP [listener sending index 1 of 3 total chunks (1500 bytes)] <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse</a:Action><a:MessageID>uuid:EA69C09F-3326-408B-AEA9-16A50E6A4B3B</a:MessageID><p:ActivityId>B0D438CC-A5B7-0000-3743-D4B0B7A5D301</p:ActivityId><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:79F72314-769A-4C54-B5AD-A174EC78A680</a:RelatesTo></s:Header><s:Body><cfg:Config xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config"><cfg:MaxEnvelopeSizekb>500</cfg:MaxEnvelopeSizekb><cfg:MaxTimeoutms>60000</cfg:MaxTimeoutms><cfg:MaxBatchItems>32000</cfg:MaxBatchItems><cfg:MaxProviderRequests>4294967295</cfg:MaxProviderRequests><cfg:Client><cfg:NetworkDelayms>5000</cfg:NetworkDelayms><cfg:URLPrefix>wsman</cfg:URLPrefix><cfg:AllowUnencrypted>false</cfg:AllowUnencrypted><cfg:Auth><cfg:Basic>false</cfg:Basic><cfg:Digest>true</cfg:Digest><cfg:Kerberos>true</cfg:Kerberos><cfg:Negotiate>true</cfg:Negotiate><cfg:Certificate>true</cfg:Certificate><cfg:CredSSP>true</cfg:CredSSP></cfg:Auth><cfg:DefaultPorts><cfg:HTTP>5985</cfg:HTTP><cfg:HTTPS>5986</cfg:HTTPS></cfg:DefaultPorts><cfg:TrustedHosts></cfg:TrustedHosts></cfg:Client><cfg:Service><cfg:RootSDDL>O:NSG:
    12. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]SOAP [listener sending index 2 of 3 total chunks (1500 bytes)] BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)</cfg:RootSDDL><cfg:MaxConcurrentOperations>4294967295</cfg:MaxConcurrentOperations><cfg:MaxConcurrentOperationsPerUser>1500</cfg:MaxConcurrentOperationsPerUser><cfg:EnumerationTimeoutms>240000</cfg:EnumerationTimeoutms><cfg:MaxConnections>300</cfg:MaxConnections><cfg:MaxPacketRetrievalTimeSeconds>120</cfg:MaxPacketRetrievalTimeSeconds><cfg:AllowUnencrypted>false</cfg:AllowUnencrypted><cfg:Auth><cfg:Basic>false</cfg:Basic><cfg:Kerberos>true</cfg:Kerberos><cfg:Negotiate>true</cfg:Negotiate><cfg:Certificate>false</cfg:Certificate><cfg:CredSSP>true</cfg:CredSSP><cfg:CbtHardeningLevel>Relaxed</cfg:CbtHardeningLevel></cfg:Auth><cfg:DefaultPorts><cfg:HTTP>5985</cfg:HTTP><cfg:HTTPS>5986</cfg:HTTPS></cfg:DefaultPorts><cfg:IPv4Filter>*</cfg:IPv4Filter><cfg:IPv6Filter>*</cfg:IPv6Filter><cfg:EnableCompatibilityHttpListener>false</cfg:EnableCompatibilityHttpListener><cfg:EnableCompatibilityHttpsListener>false</cfg:EnableCompatibilityHttpsListener><cfg:CertificateThumbprint></cfg:CertificateThumbprint><cfg:AllowRemoteAccess>true</cfg:AllowRemoteAccess></cfg:Service><cfg:Winrs><cfg:AllowRemoteShellAccess>true</cfg:AllowRemoteShellAccess><cfg:IdleTimeout>7200000</cfg:IdleTimeout><cfg:MaxConcurrentUsers>10</cfg:MaxConcurrentUsers><cfg:MaxShellRunTime>2147483647</cfg:MaxShellRunTime><cfg:MaxProcessesPerShell>25</cfg:MaxProcessesPerShell><cfg:MaxMemoryPerShellMB>1024</cfg:MaxMemoryPerShellMB><cfg:MaxShellsPerUser>30</cfg:MaxShells
    13. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]SOAP [listener sending index 3 of 3 total chunks (55 bytes)] PerUser></cfg:Winrs></cfg:Config></s:Body></s:Envelope>
    14. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Plug-in reporting operation complete for GET
    15. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Sending response for operation Get
    16. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.483 [Microsoft-Windows-WinRM]Leaving the plugin for operation Get
    17. [0]0358.06A8::‎2018‎-‎02‎-‎20 10:59:54.811 [Microsoft-Windows-WinRM]Authorizing the user
    18. [0]0358.0364::‎2018‎-‎02‎-‎20 10:59:55.157 [Microsoft-Windows-WinRM]Sending HTTP error back to the client due to a transport failure.  The HTTP status code is 400  The error code is 13



    • Edited by SrinathGS Wednesday, February 21, 2018 8:52 AM
    Wednesday, February 21, 2018 8:49 AM


  • I have identified the issue, the TLS client that I was using was dynamically resizing the packets to optimise for latency sensitive use cases. Have disabled it and made it use the maximum packet size (16k) always and that fixes double TLS records being sent for a PSRP message <16k in size.
    • Marked as answer by SrinathGS Thursday, February 22, 2018 6:01 AM
    Thursday, February 22, 2018 6:01 AM

All replies

  • Why are you trying to  use PSRP?  Just use PS remoting.  It IS PSRP.

    Are you trying tom send data memory-to-memory(M2M)?


    Wednesday, February 21, 2018 9:04 AM
  • No, I am sending the message from another machine (linux or mac), trying to run a script.
    Wednesday, February 21, 2018 9:11 AM
  • What code are you using?  "400" means you have made an HTTP request that is not formed correctly or references a non-exisitent resource.

    6.5.1.  400 Bad Request

       The 400 (Bad Request) status code indicates that the server cannot or
       will not process the request due to something that is perceived to be
       a client error (e.g., malformed request syntax, invalid request
       message framing, or deceptive request routing).


    Wednesday, February 21, 2018 9:15 AM
  • I am using my own implementation of the credssp protocol. The client is able to do do TLS handshake, sends NTLM messages encoded with TSRequest and then sends the TSPasswordCredentials to the  server using the specified ASN1 encoding methods. Moreover, command shell requests go through fine with the credssp client. But PSRP encoded messages start failing with this HTTP Status Code. I am well aware that there is a client programming error, but wanted to find out what it is as the logs are very terse.
    Wednesday, February 21, 2018 9:24 AM
  • Who wrote the client code?


    Wednesday, February 21, 2018 9:29 AM
  • I wrote it.
    Wednesday, February 21, 2018 9:31 AM
  • And it runs on Linux?   Why would you write that?  PowerShell is available for Linux.  Just install it and use it.


    Wednesday, February 21, 2018 9:33 AM
  • I am not sure if we are going in the right direction here, I wanted to write my own implementation of in a language of my choice, cannot really expect powershell to be installed in all the linux machines that we use.
    Wednesday, February 21, 2018 9:39 AM
  • Then you will want a Linux developer forum that can help you write a protocol handler.  This is a Windows PowerShell scripting forum and not a Linux programming forum.

    You will need a packet analyzer to capture your protocol packets and validate them.  A Linux developer forum will help you get started with that.


    Wednesday, February 21, 2018 9:43 AM
  • I don't think I need a linux developer forum, I have found that Open Specifications > Windows Protocols is the right forum. Thanks for your time.
    Wednesday, February 21, 2018 9:48 AM
  • Yes.  That will work too.

    You need to send a remote execution request and it needs to specify the full CMD line.  For PowerShell scripts:

    powershell -file  \scripts\test.ps1 p1 p2 p3 ...

    if you just send this:

     \scripts\test.ps1 p1 p2 p3 ...

    It will be executed under CMD an cause an error.

    The simplest remote command:


    It will use CMD to execute it on Windows.

    You can test WinRM commands execution on Windows to see how WsMan does it.

    winrs -r:ws701 powershell -file $pwd\test.ps1 "xxxx" True

    This execute the local file remotely using PowerShell.

    The simplest is this:

    winrs -r:ws701 dir

    all text at the end of the command is taken as a single command.

    Once you can get your protocol handler to correctly send the simple command other commands should work barring coding errors.7

    The 400 says you have coding errors in packet building.


    Wednesday, February 21, 2018 10:16 AM
  • I have identified the issue, the TLS client that I was using was dynamically resizing the packets to optimise for latency sensitive use cases. Have disabled it and made it use the maximum packet size (16k) always and that fixes double TLS records being sent for a PSRP message <16k in size.
    • Marked as answer by SrinathGS Thursday, February 22, 2018 6:01 AM
    Thursday, February 22, 2018 6:01 AM
  • Which proves that this has nothing to do with scripting or PowerShell.  It is a pure developer issue on the Linux system.

    Glad you found your bug/programming error.  Have fun with the project.


    Thursday, February 22, 2018 6:21 AM