Windows Remote Management and Kerberos Authentication

Windows Remote Management is used for communication between computers and involves the security of the communication using different methods of authentication and message encryption.

There are following types of authentications:

Basic Authentication:

Least secure
User name & Password is used for authentication
Can be used for HTTP or HTTPS transport
Used in a domain or workgroup

Negotiate Authentication:

Also called WIA ( Windows Integrated Authentication)
Negotiated, single sign on
SPNEGO – Simple & Protected GSSAPI negotiation mechanism
SPNEGO determines if to use kerberos or NTLM
Kerberos is prefered

Digest Authentication:

Client request -> server -> authentication server (domain controller)
If client is authenticated, then the server gets a digest session key for subsequent requests from the client

Kerberos Authentication:

Mutual authentication using encrypted keys between client & server
Client account must be on domain account in the same domain as the server


An authentication mechanism used by the client or server receiving requests for data through the WinRM in an Active Directory context
SPNEGO is based on an Request For Comments (RFC) protocol produced by the Internet Engineering Task Force (IETF)

Diff between kerberos and negotiate:

Kerberos is the default method of authentication when the client is in a domain and the remote destination string is not one of the following: localhost,, or [::1].
Negotiate is the default method when the client is in domain, but the remote destination string is one of the following: localhost,, or [::1].

CredSSP Authentication:

CredSSP authentication is intended for environments where Kerberos delegation cannot be used.
It was originally developed to support Remote Desktop Services single sign-on, however it can also be leveraged by other technologies such as PowerShell remoting.
CredSSP provides a non-kerb mechanism to delegate a session’s local credentials to a remote resource.

Setting up client and server for Kerberos Authentication

First steps

Create client and server machines.
Add them to the same domain

Configure Server

You can use the WinRM tool. Run the following commands –

winrm quickconfig -q
winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”300″}
winrm set winrm/config @{MaxTimeoutms=”1800000″}
winrm set winrm/config/service @{AllowUnencrypted=”true”}
winrm set winrm/config/service/auth @{Basic=”false”}
netsh advfirewall firewall set rule name=”Windows Remote Management (HTTP-In)” profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any
winrm set winrm/config/client/auth @{Digest=”false”}
winrm set winrm/config/service/auth @{Kerberos=”true”}
winrm set winrm/config/client @{TrustedHosts=”*”}

To ensure that Kerberos authentication is enabled on WinRM service:

winrm get winrm/config/service/auth

Connect to server from client

Using winrm –

winrm identify -auth:Kerberos -p:password

Using winrs –

winrs / /u:domain/username> /p:password dir

Using Chef’s knife-windows –

knife winrm -m -x username -P passowrd -R krb5_realm dir

knife winrm -m -x username -P passowrd -t kerberos-keytab -R krb5_realm -S kerberos-service dir


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s