Powershell: NTLM authentication over ssl does not work

Created on 21 Jul 2019  路  13Comments  路  Source: PowerShell/PowerShell

Hello,
I am using powershell core 6.2.2, the remote powershell is the latest version on windows 10, not sure which one it is...
I have configured winrm manually to accept remote connections including over ssl, and I have installed ntlm plugins for libgssapi for powershell core to be able to do ntlm auth.
However when I try to login from linux (powershell core) to windows, it does not work...
This is the actual session:

[webczat@wlap powershell]$ ./pwsh 
PowerShell 6.2.2
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.
PS /home/webczat/powershell> $cred=get-credential

PowerShell credential request
Enter your credentials.
User: webczat
Password for user webczat: xxx

PS /home/webczat/powershell> $opt=new-pssessionoption -skipcacheck -skipcncheck
PS /home/webczat/powershell> new-pssession -computername 192.168.122.40 -auth Negotiate -credential $cred -usessl -sessionoption $opt
new-pssession : [192.168.122.40] Connecting to remote server 192.168.122.40 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:6
+ new-pssession -computername 192.168.122.40 -auth Negotiate -cred ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : 2,PSSessionOpenFailed
PS /home/webczat/powershell>

However:

  • It does work when using basic authentication when it is enabled on windows side.
  • It works when ntlm is used and ssl is disabled, like -usessl is left out in new-pssession.
  • It works in ssl and non ssl case when logging into localhost from the windows side, or when logging via pywinrm library remotely from linux.
Issue-Question Resolution-Answered WG-Remoting
Source
picture webczat

Most helpful comment

Same issue here, winrm is perfectly capable to use ntlm over ssl, I seriously don't get why we can't use it even after disabling the verification at all.

picture mertcelen on 4 Sep 2019
👍3

All 13 comments

It is by design - PowerShell Core can use existing SSH-based authenticate mechanisms like passwords or private keys.

iSazonov picture iSazonov on 22 Jul 2019

I am not doing remoting over ssh. I am trying to use ntlm over ssl

webczat picture webczat on 22 Jul 2019
👍1

Same issue here, winrm is perfectly capable to use ntlm over ssl, I seriously don't get why we can't use it even after disabling the verification at all.

mertcelen picture mertcelen on 4 Sep 2019
👍3

This issue has been marked as answered and has not had any activity for 1 day. It has been closed for housekeeping purposes.

msftbot[bot] picture msftbot[bot] on 4 Oct 2019
👎4

I want to reopen and discuss this issue. I can understand that ntlm has it's own mechanism to encrypt data but I seriously can't accept the fact that it wouldn't work with SSL. We can use ntlm with ssl in many other libraries, how Microsoft expect us to use powershell inside of linux by simply ignoring the very basic level of security.

mertcelen picture mertcelen on 4 Oct 2019
👍1

@PaulHigin Make sense to continue tracking the issue? Is it real to implement the enhancement?

iSazonov picture iSazonov on 4 Oct 2019

NTLM is not fully supported for remoting connections using WinRM/OMI. AFAIK there are no plans to provide more support for NTLM and instead remoting over SSH is encouraged.

PaulHigin picture PaulHigin on 4 Oct 2019
👍1

note remoting over winrm is far better if you connect linux powershell to windows. no one would probably do remoting over ssh on a windows server.

webczat picture webczat on 4 Oct 2019
👍1

@PaulHigin thanks for response. I do want to use ssh over winrm but as stated above, how can we use something on productions while it's barely supported. Afaik, there's still no official support for older server version support for ssh

mertcelen picture mertcelen on 5 Oct 2019

@mertcelen MSFT stated in docs https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-6

Eventually we'll implement a general hosting model, similar to WinRM, to support endpoint configuration and JEA.

MSFT team still hasn't shared publicly their specific plans. I guess because it is security sensitive area and huge work.
You could look #8233 for better understanding the problem. As result you will say that it is not PowerShell but _external_ issue :-)

Remoting in PowerShell Core using SSH
iSazonov picture iSazonov on 5 Oct 2019

I see, thanks for explanation. Since I find someone experienced to talk with, what would you recommend to use it in production servers while keeping it secure. Ssh is superior and secure way to communicate but it's not quite there at windows servers, winrm over ntlm is I guess ok, but it has lack of security (as in bruteforce attacks).

mertcelen picture mertcelen on 5 Oct 2019

@webczat one scenario where remoting over SSH on Windows machines is very viable is where you're accessing non-domain machines, Setting up and using SSH may be easier than using certificate based remoting

RichardSiddaway picture RichardSiddaway on 5 Oct 2019

@mertcelen If we are talking about business, today I would not force and use what works well.
As for ntlm (NTLM2 only!) you must use complex passwords and strongly protect management by firewall.

iSazonov picture iSazonov on 5 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

garegin16 picture garegin16  路  3Comments
rkeithhill picture rkeithhill  路  3Comments
mklement0 picture mklement0  路  3Comments
abock picture abock  路  3Comments
rudolfvesely picture rudolfvesely  路  3Comments