Windows Admin Center and WinRM Authentication RRS feed

  • Question

  • I recently found that once we disable Negotiate Authentication on WinRM Service on Domain COntrollers, the WinRM Clients cannot Authenticate with those Target Servers using WAC. 
    I am trying to find if anyone has seen this issue or behaviour.

    Windows Admin Center(WinRM Client)
    Windows 2012 or Windows 2016 Domain Controllers(WinRM Servers)

    When I disable the Negotiate Authentication using Group Policy or using Winrm locally, WinRM Client fails to Authenticate when I test the connection from Windows Admin Center.
    Also, the poweshell CMDLets i:e Enter-Pssession or Invoke will fail with the same error unless I specify the -Authentication Switch and force the usage of Kerberos

    I tried disabling Negotiate Authentication on WinRM Client setting however that doesn't help. ALso trusted Host is updated for all Target Host.

    Error message.

    "Connecting to remove server Servername failed with the following error message: The WinRM client cannot process the request. Negotiate authentication is currently disabled in the client configuration. Change the client configuration, use one of the enabled authentication mechanisms still enabled. To use kerberos, specify the local computer name as the remote destination."

    Question with the two scenarios:-
    Winrm Client has Negotiate and Kerberos Enabled
    WinRM Service has Negotiate Disabled and Kerberos Enabled
    Why is the WinRM Client not failing over to Kerberos when Negotiate fails? Is fail over an expected behavior?

    WinRM Client and WinRM Service has Negotiate Disabled 
    WinRM Client and WinRM Service has Kerberos Enabled
    Why is the WinRM cilent not using Kerberos when I it is enabled on both the sides and still uses Negotiate Authentication.
    Thursday, September 19, 2019 4:51 AM

All replies