How To
Summary
In some cases a PowerShell script may need to access resources outside of the Secret Server machine. This requires that the credentials be delegated to the target machine. Secret Server runs PowerShell scripts using WinRM, which does not allow credential delegation by default. In order to allow credential delegation, the Secret Server machine must have CredSSP enabled. The Credential Security Support Provider (CredSSP) is a Security Support Provider that allows a client to delegate credentials to a target server.
Here are some examples of scenarios that will require CredSSP:
The script needs to query or update a value in Active Directory.
The script needs to query or update a value in a SQL Server instance.
Steps
- Go to Administration -> Configuration.
- Click Edit.
- Check "Enable CredSSP Authentication for WinRM" and Save.
- Log on to the machine that is running Secret Server.
- Run Windows PowerShell as an Administrator.
- Enable client-side CredSSP by running:
Enable-WSManCredSSP -Role Client -DelegateComputer <Secret Server fully qualified machine name>
- Enable server-side CredSSP by running:
Enable-WSManCredSSP -Role Server
- Open gpedit.msc on your Secret Server machine.
- Navigate to Computer Settings > Administrative Templates > System > Credentials Delegation
- Edit the "Allow Delegating Fresh Credentials" setting.
- Verify that it is Enabled.
- Click "Show..."
- Verify that the list contains an entry that begins with "wsman/" and ends with the fully qualified machine name of the Secret Server machine.
- Restart the Secret Server machine.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 November 2019
UID
ibm11109889