Powershell remoting from macOS to standalone Windows using https fails with: Authorization Failed

[mcx808]

SUMMARY

I'm connecting from macOS to standalone windows machines running a self signed cert and WinRM on https via wsman. Every connection fails with the error Enter-PSSession: Connecting to remote server xxx failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic.

I'm sure this used to be a problem perhaps in a previous version of either powershell or PSWSMan that was pretty much resolved as I stopped seeing it. I grabbed my older mac (M1) which I'm certain stopped seeing this error, but I've since upgraded powershell (still at 7.2.6) and had to sudo pwsh; Install-WSMan again. It also has the same issue.

It's certainly an error I see when trying to double-hop, but how do I troubleshoot it for direct connections? The credentials are definitely correct, and I've tried all variations of user,.\user and 'machine\user` as the credential username.

I don't have any issues connecting to domain-joined machines using plain WSMan and Kerberos after running kinit.

MODULE VERSION

PSWSMan 2.3.0

OS / ENVIRONMENT

ARM (M2) macOS 12.6.1 running Powershell 7.2.7 (also on 7.2.6)

[jborean93]

Unfortunately NTLM support on macOS (NTLM is used for standalone hosts) is very poor. The underlying GSSAPI library is based on a really old version of Heimdal with very iffy support for NTLM. It's also problematic when it comes to reporting the state of the authentication based on how OMI is written. If you've enabled basic auth on the Windows server then can add -Authentication Basic to use Basic auth which is a lot simpler than NTLM. It's not dangerous in this case because you are using HTTPS which protects the data.

[mcx808]

Ok thanks for the reply. I only discovered the issue when falling back to https PSRemoting over the usual ssh, since it was already enabled for Ansible. I can confirm -Authentication Basic works as per your suggestion. Do you know if this is limited to macOS or would I see the same issue on Linux? I get a slightly different error on Debian 11:

Enter-PSSession: Connecting to remote server {server} failed with the following error message : acquiring creds with username only failed Unspecified GSS failure.  Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.

Again -Authentication Basic solves the issue too.

[jborean93]

NTLM auth on Linux is possible but won't work straight away. You essentially need:

• To ensure the gss-ntlmssp it installed and configured
  • The name of this package through dnf/yum/apt differs so there's no universal name I can give you
  • For Debian I would try apt install gss-ntlmssp as per https://packages.debian.org/sid/libs/gss-ntlmssp
• Unlike Windows there's no implicit cred it can use, it won't use your kinit cache you you essentially need to provide -Credential $cred
  • This is a lie as it will lookup the env var for NTLM_USER_FILE
  • This is the path to a file with creds on each line in the format domain:user:password
  • This should really be avoided as you are now putting your password in a plaintext file
  • It can technically also integrate with winbind but I've never tried this out before

[mcx808]

Thanks @jborean93 . I'll close this issue, should be informative if anyone has the same problem.

For my use case, I'll just add Authentication = "Basic" to the $https splat I use for PSRemoting connections to these standalone machines since the creds will still be transmitted over TLS.