I would like to connect remotely to a windows machine using certificates instead of username and passwords. The connections will be made mainly from Linux server using ansible or pywinrm modules.
I am able to connect from the remote machines using an username or a password but not using the certificates.
I generated with openssl on linux a client certifcate with :
extended key usage: Client Authentication (1.3.6.1.5.5.7.3.2)
subject alternative name: Other Name:
Principal Name=user@localhost
I imported the certificate to the root certificate store and to the trustedPeople certifcate store
(
Get-Item Cert:\LocalMachine\TrustedPeople\28DB272759BB411B49EB8E1CEAA29A2704DC2D17)
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPeople
Thumbprint Subject
---------- -------
28DB272759BB411B49EB8E1CEAA29A2704DC2D17 CN=user
i got the certificate thumbprint:
(get-ChildItem -Path cert:\LocalMachine\root | Where-Object { $_.Subject -eq "CN=user" }).Thumbprint
28db272759bb411b49eb8e1ceaa29a2704dc2d17
and added a mapping to the user which is member of the administrators group
New-Item -Path WSMan:\localhost\ClientCertificate `
-Subject 'user@localhost' `
-URI * `
-Issuer 28db272759bb411b49eb8e1ceaa29a2704dc2d17 `
-Credential (Get-Credential) `
-Force
get-item -path WSMan:\localhost\ClientCertificate\ClientCertificate_130594957\| fl *
PSPath : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_130594957
PSParentPath : Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate
PSChildName : ClientCertificate_130594957
PSDrive : WSMan
PSProvider : Microsoft.WSMan.Management\WSMan
PSIsContainer : True
Keys : {URI=*, Issuer=28db272759bb411b49eb8e1ceaa29a2704dc2d17, Subject=user@localhost}
Name : ClientCertificate_130594957
TypeNameOfElement : Container
Type : Container
i can connect to the server using username and password but not when using the certificates when I try to test a local connection it still does not work. https port is open
testing locally it does not work either:
Test-WSMan -ComputerName . -Authentication ClientCertificate -CertificateThumbprint <thumbprint>
i get this error:
Test-WSMan : The WS-Management service cannot find the certificate that was requested.
At line:1 char:1
+ Test-WSMan -ComputerName . -Authentication ClientCertificate -Certifi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Test-WSMan], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand
the python script says:
File "/usr/local/lib/python3.6/site-packages/winrm/transport.py", line 333, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
I do no see how can I debug this i do not see anything in the windows logs. my knowledge of windows is quite limited.
how can I fix this?