Hi Experts,
please help with setup Credssp accross multiples domains.
I need run remote powershell session from 1 domain to another and my script has second hop or “multihop” problem.
When I test Credssp in the same domain everything works fine, but I have error with multiple domains.
Connecting to remote server failed with the following error message : The WinRM client
cannot process the request. A computer policy does not allow the delegation of the user credentials to the target comp
uter because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMA
N service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbpri
nt="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be
created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN e
xists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the
delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Co
nfiguration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only S
erver Authentication. Verify that it is enabled and configured with an SPN appropriate for the target computer. For ex
ample, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com
or WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troublesh
ooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed