KBEC-00353 - Enabling Multi-Hop Support for Windows Remote Management Before Installing or Upgrading Remote Agents

Summary:

This article describes how to configure permissions for machines in a domain to avoid the NetUserGetInfo: Access is denied issue when you use Windows Centralized Agent Management (CAM) to install or upgrade Windows remote agents. 

Windows CAM is introduced in ElectricFlow 7.0. For more information about using Windows CAM, see the "Installing or Upgrading Remote Agents" section in the "Automation Platform" chapter of the ElectricFlow 7.0 User Guide.

Solution:

To fix this problem, you configure multi-hop support for Windows Remote Management (WinRM) by enabling the Credential Security Support Provider (CredSSP) protocol. You do so on the CAM driving resource (the WinRM client) machine and on each target host (each WinRM server). This allows Windows to delegate credentials and is needed if the agent user is a domain user on the target machines.

Configuring the CAM Driving Resource

You can use the command line or the Local Group Policy Editor.

Enabling CredSSP on the WinRM Client

On the CAM driving resource (the WinRM client) machine, open a command window and enable CredSSP by entering

   winrm set winrm/config/client/auth @{CredSSP="true"}

If you do not have permission to do so, contact your system administrator.

Enabling the AllowFreshCredentials Policy on the WinRM Client

  1. On the (Windows) CAM driving resource (the WinRM client) machine, start the Local Group Policy Editor:

       a. Click Start > All Programs > Accessories, and then click Run.

       b. Type gpedit.msc in the text box, and then click OK.

  2. In the Local Group Policy Editor, click Computer Configuration > Administrative Templates > System > Credentials Delegation, and then do one of the following:

       • If the Windows CAM driving resource is in the same Windows domain as
          the target hosts on which you want to install the agent, double-click the
          Allow Delegating Fresh Credentials policy.

       • If the Windows CAM driving resource is not in the same Windows
          domain as the target hosts on which you want to install the agent,
          double-click the Allow Delegating Fresh Credentials with
        NTLM-only Server Authentication
     policy.

  3. Click the Enabled radio button.
  4. Add the SPNs for the target hosts to the list by entering the following for each host:

       WSMAN/<hostname>.<domain>.com

    For example, enter 

       WSMAN/machine1.mydomain.com

    An SPN represents a target host to which the user credentials will be delegated.

    Note: You cannot specify IP addresses. 

    You can use WSMAN/*.<domain>.com to allow all machines in the specified domain to delegate the credentials from this client.

  5. Click OK.

If you do not have permission to perform these steps, contact your system administrator.

(Optional) Verify that CredSSP is Enabled

To verify that CredSSP is enabled, use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:

The machine is configured to allow delegating fresh credentials to the
following target(s):wsman/hostname.testdomain.com
This computer is not configured to receive credentials from a remote
client computer.

Configuring Each Target Host

Enabling CredSSP on Each WinRM Server

On each target host (each WinRM server), complete the following steps:

  1. Ensure that a WinRM HTTPS or HTTP listener is configured.

  2. Open a command window and enable CredSSP by entering
       winrm set winrm/config/service/auth @{CredSSP="true"}    
    This allows the host to act as a delegate.

If you do not have permission to perform these steps, contact your system administrator.

(Optional) Verifying that CredSSP is Enabled on a WinRM Server

To verify that CredSSP is enabled on any target host (any WinRM server), use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:

The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote
client computer.

References

The procedures in this article are adapted from the following articles on the Microsoft Developer Network website:

Applies to:

ElectricFlow versions 7.0 and newer on supported Windows platforms.

Have more questions? Submit a request

Comments

Powered by Zendesk