windows 10 winrm not accepting certificate authentication

Question

I would like to connect remotely to a windows machine using certificates instead of username and passwords. The connections will be made mainly from Linux server using ansible or pywinrm modules.

I am able to connect from the remote machines using an username or a password but not using the certificates.

I generated with openssl on linux a client certifcate with :

extended key usage: Client Authentication (1.3.6.1.5.5.7.3.2)
subject alternative name: Other Name:
     Principal Name=user@localhost

I imported the certificate to the root certificate store and to the trustedPeople certifcate store

(

Get-Item Cert:\LocalMachine\TrustedPeople\28DB272759BB411B49EB8E1CEAA29A2704DC2D17)


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople

Thumbprint                                Subject
----------                                -------
28DB272759BB411B49EB8E1CEAA29A2704DC2D17  CN=user

i got the certificate thumbprint:

(get-ChildItem -Path cert:\LocalMachine\root | Where-Object { $_.Subject -eq "CN=user" }).Thumbprint
 28db272759bb411b49eb8e1ceaa29a2704dc2d17

and added a mapping to the user which is member of the administrators group

New-Item -Path WSMan:\localhost\ClientCertificate `
         -Subject 'user@localhost' `
         -URI * `
         -Issuer 28db272759bb411b49eb8e1ceaa29a2704dc2d17 `
         -Credential (Get-Credential) `
         -Force

get-item -path WSMan:\localhost\ClientCertificate\ClientCertificate_130594957\| fl *


PSPath            : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_130594957
PSParentPath      : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate
PSChildName       : ClientCertificate_130594957
PSDrive           : WSMan
PSProvider        : Microsoft.WSMan.Management\WSMan
PSIsContainer     : True
Keys              : {URI=*, Issuer=28db272759bb411b49eb8e1ceaa29a2704dc2d17, Subject=user@localhost}
Name              : ClientCertificate_130594957
TypeNameOfElement : Container
Type              : Container

i can connect to the server using username and password but not when using the certificates when I try to test a local connection it still does not work. https port is open

testing locally it does not work either:

Test-WSMan -ComputerName . -Authentication ClientCertificate -CertificateThumbprint <thumbprint>

i get this error:

Test-WSMan : The WS-Management service cannot find the certificate that was requested.
At line:1 char:1
+ Test-WSMan -ComputerName . -Authentication ClientCertificate -Certifi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Test-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

the python script says:

  File "/usr/local/lib/python3.6/site-packages/winrm/transport.py", line 333, in _send_message_request
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server

I do no see how can I debug this i do not see anything in the windows logs. my knowledge of windows is quite limited.

how can I fix this?

Answer 1

I had a similar issue with a python client script. I spent hours on it. I found it was due to some Intermediate certificates present in Trusted Root Certification Authorities folder of the Local Machine certificate store of the remote server. It's weird as both certificates are self signed (WinRM listener and client authentication).

Rgds