1 Reply Latest reply on Jul 15, 2008 6:41 AM by sdavies

    WinRM Scripting and WS-MAN Translator

    vprouser

       

      I have a couple of questions about using WinRM scripting with the WS-MAN translator (which I need to use because I have some Intel Centrino Pro laptops) and the types of authentication available

       

       

      I am using MS SCCM SP1 to provision my client systems which consist of HP7800 systems (upgraded to AMT 3.2.1 firmware) and HP6910P systems (using AMT 2.6 firmware). I provision my systems using MS SCCM SP1 and use a Windows security group in the MS SCCM AMT settings to control which Windows users can access the Management Controller. This all works well

       

       

      I want to write WinRM scripts to automate some configuration and management tasks for these clients. I used the examples provided with the WS-MAN source code package and these work nicely with my HP7800 systems. I started with simple GetVersionInfo.VBS example and Basic/Digest authentication which required me to manually add a user to my Management Controller using the AMT web interface, and then I graduated to Kerberos authentication which works with no requirement to touch the client after it has been provisioned because MS SCCM has configured Kerberos during the provisioning process

       

       

      My question involves using the scripts with clients that need to use the WS-MAN translator. I tried using Basic authentication and this worked OK when I manually added an admin type user to my Management Controller using the AMT WebUI. But I do not want to have to manually add users to each of my laptop clients so I switched to Kerberos and now I get an access denied message from the script which got me to thinking how the WS-MAN translator could work with Kerberos

       

       

      So my questions are :-

       

       

      1. Can I configure the WS-MAN translator so that it can use Kerberos authentication with my Intel Centrino Pro clients so that after provisioning using MS SCCM I can use the scripts immediately, and how do I do this ?

       

       

      2. If I cannot use Kerberos authentication with the WS-MAN translator, is there another way of using WinRM scripts with my laptops which does not require me to manually add in credentials to each client after provisioning has been performed by MS SCCM ?

       

       

      Any help would be very useful

       

       

      vProUser

       

       

       

        • 1. Re: WinRM Scripting and WS-MAN Translator
          sdavies

           

          WS-MAN translator can use Kerberos authentication with clients immediately following provisioning by SCCM, by enabling Kerberos delegation

           

           

          For testing purposes, check the Trust computer for delegation option in the General tab of the computer account (hosting the WSMAN translator) in Active Directory Users and Computers and reboot the computer hosting the WSMAN translator. Now the WSMAN translator can impersonate whoever is logged on and running WinRM scripts that use the translator to access Intel vPro platforms

           

           

          For production purposes, might be worth investigating a more constrained approach for delegation rather than delegating to anything running under the computer account. Microsoft have a useful document titled "Troubleshooting Kerberos Delegation" which explains the available options