Windows CredSSP setup

Credential Security Support Provider (CredSSP) is a security protocol that lets applications delegate user credential for remote authentication. CredSSP is commonly used in Powershell (PS)for remote invocation. Visit (source) for details on CredSSP.

CredSSP authentication must be set up on the target server, below is an example using PS to setup CredSSP on Windows server instances.

Enable-WSManCredSSP -Role Server -Force
Enable-WSManCredSSP -Role Client -DelegateComputer "*" -Force

Note: Enable-WSManCredSSP performs both (source):

  • Sets WS-Management (WSMan) \Client\Auth\CredSSP
  • Sets CresSSP policy AllowFreshCredentials to WSMan/Delegate

Verify CredSSP is enabled

Below is a script to verify that CredSSP is setup. The following scripts check the group policy registry values and WSManCredSSP using Powershell (PS).

# Verify CredSSP is enabled for client and service
Write-Output "Client\Auth\CredSSP='$((Get-Item WSMan:\localhost\Client\Auth\CredSSP).value)'"
Write-Output "Service\Auth\CredSSP='$((Get-Item WSMan:\localhost\Service\Auth\CredSSP).value)'"
# Verify WSManCredSSP setup
Get-WSManCredSSP
# verify group policies
Get-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials"
Get-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly"

Note: any group policies changes will need time to propagate !

Check CredSSP registry setup

Occasionally CredSSP will not work as expected because of bad registry setup. When CredSSP is enabled the “‘AllowFreshCredentials’ registry value should exist. You may also have ‘AllowFreshCredentialsWhenNTLMOnly’ registry value if so the setup should be identical to “AllowFreshCredentials‘. Note that this registry value should contain only one value of wsman/*.

AllowFreshCredentials should only have one wsman/* entry, registry value 2 should be removed