Please feel free to provide feedback or file bugs here.

PSv4+ New-PSSession with -CertificateThumbprint only works with ADCS generated certificates

I am unable to authenticate with a client certificate generated from OpenSSL or New-SelfSignedCertificate from a Windows 10 or 2012R2 powershell remoting client (likely broken in 8.1 but I did not test). I receive the following error:

new-PSSession : The WinRM client cannot process the request. If you are using a machine certificate, it must contain a DNS name in the Subject Alternative Name extension or in the Subject Name field, and no UPN name. If you are using a user certificate, the Subject Alternative Name extension must contain a UPN name and must not contain a DNS name. Change the certificate structure and try the request again.

The UPN is correctly specified in the SAN and there is no DNS entry.

I CAN authenticate with the same certificates from windows 7 or 2008R2 and I can also authenticate from windows 10/2012R2 if I use the ruby or python winrm libraries.

I checked the binary contents of both an ADCS gernerated cert and an OpenSSL one and my SAN contents are binary identical.

Please see http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm for more details

29 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Matt Wrock shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base