Powershell CRESSSP 和 TLS 1.2 [英] Powershell CREDSSP and TLS 1.2
问题描述
服务器 A 是 Server 2008 R2、Powershell V3 所有 SSL 和 TLS 启用和所有密码.服务器 B 是 Server 2016、Powershell V5 和 Only TLS 1.2 和特定的密码集.
Server A is Server 2008 R2, Powershell V3 All SSL and TLS enabled and all Ciphers. Server B is Server 2016, Powershell V5 and Only TlS 1.2 and specific set of Ciphers.
我无法让 Credssp 身份验证从 A 到 B 工作,即使我使用
I cannot get Credssp authentication to work from A to B, even if I use
Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
我知道这是每个会话的设置,所以我包含在脚本本身中.
i am aware this is a per Session setting so I included in the script itself.
如果我将服务器 B(服务器 2016)设置为打开所有 SSL 和 TLS 加密,则 CREDSSP 工作没有问题.
If I set Server B (Server 2016) to turn on all SSL and TLS encryption, CREDSSP works no problem.
是的,我需要使用 CREDSSP,因为服务器 B 上的脚本引用了服务器 A 上的文件共享.
And yes i need to use CREDSSP because the script on Server B references a file share back on Server A.
这是我正在使用的脚本,当所有版本的 TLS 都启用时,它再次起作用.
Here is the script I am using, that again, works when all Version of TLS are enabled.
$pass = ConvertTo-SecureString "password" -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\user.service",$pass
#
#
# The Remote Execution Command. Fully Qualified Domain name is critical since we are using Credssp.
# Credssp is being used to resolve an issue with a double hop authentication issue.
Invoke-Command -ComputerName ServerB.domain.edu -command { C:\HelloWorld.ps1 } -Authentication Credssp -Credential $mycred
我还没有尝试过的一件事是将服务器 A 和 B 都放在 TLS 1.2 上,看看它是否能这样工作.这不是一个长期的解决方案,因为此时服务器 A 不能设置为仅 TLS 1.2.
The one thing I havent tried yet, but I am going to, is put both Server A and B on TLS 1.2 and see if it works that way. This is not a long term solution, because Server A cant be set to only TLS 1.2 at this time.
推荐答案
所以看起来这个问题与 Server 2008 只有 TLS 的 Server 子项的注册表项有关,而不是 SCHANNEL 上的 TLS 的 Client 子项注册设置.看图
So it looks like the issue was related to the Server 2008 only having The registry entries for the Server subkey of TLS and not the Client subkey of TLS on the SCHANNEL Reg setting. See picture
一旦我添加了客户端子密钥并启用了 TLS 1.2 加密,它终于开始工作了.
Once I added the Client Subkey and enabled TLS 1.2 Encryption, it finally started to work.
这篇关于Powershell CRESSSP 和 TLS 1.2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
