none
WinRM Certificate Mapping to local account problem

    Question

  • Hello:

    First of all, sorry if my english isn't very good.

    I have a question about Certificate Mapping to a local account on Windows remote Managment Service. My problem is that I'm going to admin Windows Machines with WS-Management v1.1 service installed. But I'm not going to manage them from a Windows machine, instead I'm using a Linux System with a WS-Management client call 'openwsman'. I have manage a Windows XP Professional SP3 machine with success, but using 'basic' authentication based on username/password. Now, I want to use certificates instead, so only the client that have the certificate can manage the machine remotly.For this purpose, I have seen that you can map a certificate to a local account, so when the windows machine recieve that certificate, the credentials used to execute an action are those that you map with the certificate, right?


    So I have generated a certificate with OpenSSL for the client, using the EKU (Extended Key Usage) set as 'serverAuth' because it is mentioned here 'http://technet.microsoft.com/es-es/library/cc782312(WS.10).aspx' on the 'Automating WinRM Configuration' section as a requisite.
    I have copy this certificate to the windows machine. I use 'Start -> Run -> mmc'. Y add to the root console a 'certificate' complement, and in the certificate's adminsitration option, I choose 'Local account'. Then, I added the certificate to 'Personal -> Certificates'. In the certificate, CN is the same as the machine name.
    When I have done this, then y use a 'cmd' to add a listener HTTPS to WinRM like that 'winrm create winrm/config/service/listener?Address=*+Transport=HTTPS @{Hostname=HOST_NAME;CertificateThumbprint=THUMBPRINT_OF_THE_CERTIFICATE}'. So, with that, I try to connect from the client using the certificate, and an Unkwon SSL error happened.
    Then, I use the program 'Wireshark' and I could see that Linux client is sending SSL Client Hello, but windows instead of sending the Server Hello, is requesting a connection close.
    When I use the client, I select the same certificate I have imported on the windows machine, the private key associated with this certificate, and I am also indicating not to verify the peer CA.

    Anyone could tell me if I'm doing something wrong in the Windows Side? Is the cert mapping correct? How to use it with WinRM?

    Thank you very much,
    Eloy.

    Wednesday, December 08, 2010 1:59 PM

All replies

  • Hello!

     

    I wasn't in the right way. What I have explained in the other post isn't correct. Doing it results in an HTTPS connection, but not in a client Athentication using a certificate. I explain it better: If you do what I wrote yesterday, the result is that the service WinRM could cipher the information you are transmitting between Client and Server, but I was doing something wrong. When you create the certificate with openssl, you have to convert it to a format that have Certificate and Private Key together (for example, PKCS#12 format), so when you import it on the Windows Machine the Service have the private key and it can start a ciphered transmission.

    And the way of authenticating a client with a certificate, is using the configuration of the WinRM service Certmapping, doing something like 'winrm set winrm/config/service/certmapping @{URI="...";Subject="...";Issuer="..."}'.

    There is a post where it's explined crearly here 'http://blogs.msdn.com/b/wmi/archive/2009/03/23/how-to-use-wsman-config-provider-for-certificate-authentication.aspx'. It's explained using PowerShell Scripting.

    I hope this information could help anybody who read it.

     

    Eloy.

    Friday, December 10, 2010 5:46 PM