我尝试了以下命令来启用CredSSP:
Enable-WSManCredSSP -Role Client -DelegateComputer *.domain.local -Force
Enable-WSManCredSSP:此命令无法执行,因为 设置无法启用。
如何克服此错误?我究竟做错了什么?这个错误的原因是什么?
GET-WSManCredSSP
计算机未配置为允许委派新凭据。 此计算机配置为从远程接收凭据 客户端计算机。
winrm get winrm / config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true [Source="GPO"]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *.XXX.local [Source="GPO"]
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true [Source="GPO"]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
答案 0 :(得分:0)
您是否使用GPO创建WinRM侦听器?
您需要为WinRM客户端策略启用Allow Delegating Fresh Credentials,并添加带有WSMAN前缀的SPN。
答案 1 :(得分:0)
还有另一种方法
我在这个问题上工作了将近两个星期,现在我知道有时候您可能在命令Enable-WSManCredSSP -Role client -DelegateComputer "my host"
这是因为即使您以管理员身份运行PowerShell,命令也无权进行注册表编辑。我认为这是Microsoft的错误,我将为MS Support创建票证
但是有解决方法,您可以通过此脚本来实现