Is there an easy way to check if CredSSP is enabled on a systems?

StackOverflow https://stackoverflow.com/questions/18969201

Question

I am aware of the Get-WSManCredSSP function; however, this cmdlet does not work well in a script. This returns a long string similar to the following:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*,wsman/*,wsman/*,wsman/*
This computer is configured to receive credentials from a remote client computer.

I cannot easily include this in a script that I am writing, so I'm looking for an alternative way to check CredSSP.

Was it helpful?

Solution

Can't you consider using this as documented in the CmdLet help: Gets the WS-Management CredSSP setting on the client (<localhost|computername>\Client\Auth\CredSSP).

On a local machine it gives :

(Get-Item  WSMan:\localhost\Client\Auth\CredSSP).value

You can use it like this :

(Get-Item  WSMan:\localhost\Client\Auth\CredSSP).value -eq $false

You can first test if WinRm is available :

(Get-Service -Name winrm ).Status

OTHER TIPS

I was also struggling with the limitations of the Get-WSManCredSSP output, and found this helper script by Victor Vogelpoel/Ravikanth Chaganti to be really helpful.

Some examples:

Check if current machine has been configured as CredSSP server and/or client:

(Get-WSManCredSSPConfiguration).IsServer
(Get-WSManCredSSPConfiguration).IsClient

Check if a specified client machine has been set up for delegation:

Get-WSManCredSSPConfiguration | % { $_.ClientDelegateComputer.Contains('clientcomputername') }

(not intended as a replacement for the work of Vogelpoel & Chaganti, but as a quick summary of a quick reading of CredSSP.cs, so you can get a quick grasp of what it's doing - that said, it was tested on several systems I had at hand and seems to work)

function Get-WSManCredSSPState
{
  $res = [pscustomobject]@{DelegateTo = @(); ReceiveFromRemote = $false}

  $wsmTypes = [ordered]@{}
  (gcm Get-WSManCredSSP).ImplementingType.Assembly.ExportedTypes `
  | %{$wsmTypes[$_.Name] = $_}

  $wmc = new-object $wsmTypes.WSManClass.FullName
  $wms = $wsmTypes.IWSManEx.GetMethod('CreateSession').Invoke($wmc, @($null,0,$null))
  $cli = $wsmTypes.IWSManSession.GetMethod('Get').Invoke($wms, @("winrm/config/client/auth", 0))
  $res.ReceiveFromRemote = [bool]([xml]$cli).Auth.CredSSP

  $afcPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials'
  if (test-path $afcPath)
  {
    $afc = gi $afcPath
    $res.DelegateTo = $afc.GetValueNames() | sls '^\d+$' | %{$afc.GetValue($_)}
  }
  return $res
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top