Ubuntu 22.04 Remote Connection with Kerberos or Negotiate with AD Account (PowerShell 7.3.1)

jborean93 / omi

Open Management Infrastructure

Other

108 stars 13 forks source link

Ubuntu 22.04 Remote Connection with Kerberos or Negotiate with AD Account (PowerShell 7.3.1) #63

Open se opened 1 year ago

se commented 1 year ago

SUMMARY

We tried to connect to our PowerShell machine from Ubuntu 22.04 to Windows Server 2016 Standard.

Basic Authentication with SSL with a Local or AD Account works fine.

AD Account with -Authentication Kerberos or Negotiate gives the following error.

     | Connecting to remote server monodc.monosign.com failed with the following error message : Authorization failed Unspecified GSS failure.  Minor code may provide
     | more information Server not found in Kerberos database For more information, see the about_Remote_Troubleshooting Help topic.

kinit works fine like;

kinit -f accountname@DOMAIN.LOCAL

MODULE VERSION

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.3.1                 PSWSMan                             {Disable-WSManCertVerification, Enable-WSManCertVerification, Get-WSManVersion, Install-WSMan…}

OS / ENVIRONMENT

PowerShell Version is "PowerShell 7.3.1"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"

COMMANDS THAT WE TRIED

$SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
$UserName = "user@DOMAIN.LOCAL"
$Password = Get-Content ./Password.secure | ConvertTo-SecureString -AsPlainText
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $UserName, $Password
Enter-PSSession serveraddress -SessionOption $SessionOption -Credential $Credential -Authentication Negotiate -UseSSL

se commented 1 year ago

I found that weird problem and fixed it like the following.

The problem is about the the openssl (ofc). To fix this we need to add legacy support to the openssl with the config file.

sudo nano /etc/ssl/openssl.cnf

Go to the [provider_sect] section and add the following line under the default = default_sect.

legacy = legacy_sect

Go to the [default_sect] section and uncomment the following line. And also we are gonna need [legacy_sect] to the following.

This is the old version;

#[default_sect]
#activate = 1

Should be like this;

[default_sect]
activate = 1

[legacy_sect]
activate = 1

This will enable the md4 for the openssl.

We could add this to the documentation. What do you think?

All credits go to the @mickdec. Thanks to this comment https://forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342/14

We spent more than 4 days time to find this 😮‍💨