CredSSP should allow delegation of “Default” (current) credentials
Votes from Connect: 159
Original Date Submitted: 10/19/2009 3:31:10 AM
Description:
Contact Information
Handle: degustator
Site Name: PowerShell
Feedback ID: 498377
Frequency: Always Happens
Regression: I don't know if this issue existed previously
Problem Description:
When I try to use CredSSP I receive the following error message:
enter-pssession -computername <Remote Server FQDN> -authentication credssp
Enter-PSSession : The WinRM client cannot process the request. Requests must include user name and password when CredSSP authentication mechanism is used. Add the user name and password or change the authentication mechanism and try the request again.
This means that Powershell (or WinRM) implementation of CredSSP doesn't allow for delegating “Default” credentials (i.e. implicit credentials of current user). But that's completely unexpected since delegation of Default Credentials is one of the most valuable features of CredSSP ever.
For example, this feature is used with Remote Desktop Services to provide SSO (Single-Sign-On) experience or with Microsoft Virtual Console (used to interact with desktops of Virtual Machines hosted on Hyper-V through System Center Virtual Machine Manager console).
Product Studio item created by Connect Synchronizer due to creation of feedback ID 498377 (http://connect.microsoft.com/PowerShell/feedback/ViewFeedback.aspx?FeedbackID=498377).
Repro Steps:
1. Enable and configure PS Remoting.
2. Eanble CredSSP as described at “Multi-Hop Support in WinRM” (http://msdn.microsoft.com/library/ee309365.aspx).
2a: Important. Use “Allow Delegating Default Credentials (AllowDefaultCredentials) policy” instead of “Allow Delegating Fresh Credentials (AllowFreshCredentials)”.
3. Attempt connecting to remote computer using “-authentication credssp” without specifying explicit credentials.
Expected Results:
I expect connection would succeed and allow me to log on using my current credentials.
Internal BugId: 2220
