10

I have disabled negotiate authentication for the winrm service on my server by executing:

winrm put winrm/config/service/Auth @{Negotiate="false"}

And now I can perform any operation with winrm. I get the error:

    Message = The WinRM client cannot process the request. The WinRM client trie
d to use Negotiate authentication mechanism, but the destination computer (local
host:47001) returned an 'access denied' error. Change the configuration to allow
 Negotiate authentication mechanism to be used or specify one of the authenticat
ion mechanisms supported by the server. To use Kerberos, specify the local compu
ter name as the remote destination. Also verify that the client computer and the
 destination computer are joined to a domain. To use Basic, specify the local co
mputer name as the remote destination, specify Basic authentication and provide
user name and password. Possible authentication mechanisms reported by server:

I understand the error, but the problem is that the only way I find on the web to enable Negotiate authentication is by executing:

winrm put winrm/config/service/Auth @{Negotiate="true"}

Which of course gives the error above. Is there another way to enable Negotiate authentication?

Ivaylo Strandjev
  • 223
  • 1
  • 2
  • 6

6 Answers6

14

Use Group Policy:

Computer > Policies > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service:
Disallow Negotiate Authentication: Disabled.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • 5
    For future readers: to open this menu run(win + 'R') `gpedit.msc` and select `Computer Configuration` -> `Administrative Templates` ... – Ivaylo Strandjev Nov 12 '13 at 09:12
  • If it's "not configured", don't let that fool you; it's not actually picking up the default as you'd expect. This ended up being the answer for me after unsuccessfully trying the registry fixes. – durette Jun 28 '18 at 20:33
6

Edit the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client.

Set auth_kerberos and auth_negotiate to 1.

Restart the service.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Ivan
  • 171
  • 1
  • 3
2

As suggested in this answer, but Service, not Client:

  1. Edit the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service.

  2. Set auth_kerberos and auth_negotiate to 1.

  3. Restart the Windows Remote Management (WS-Management) Service.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
lcapty507
  • 21
  • 2
1

On our server 2012 / exchange 2010 machine we had this error when trying to use AVG backup software.

I found removing both maxenvelopesize and trusted_hosts under this key did the trick

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client]
"maxEnvelopeSize"=dword:000007d0
"trusted_hosts"="*"
sebix
  • 4,175
  • 2
  • 25
  • 45
rob
  • 11
  • 2
1

I had one server working, yet another would not. I could not find the problem. Finally I figured it out.

On the sending server: set the local policy Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Fresh Credentials. In there, set WSMAN* in the Add servers to the list (also check the box to Concatenate OS defaults)

On the receiving server (Create a .reg file with the following:):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client] 
"auth_credssp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service]
"auth_credssp"=dword:00000001

works for me

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Citrix Admin
  • 11
  • 1
1

Please note that if the computer (server) is a member of domain, or itself is a domain controller (in my case Windows Server 2019), the Group Policy can be applied from domain group policy.
So I suggest (in these cases) use below command and check the "Disallow Negotiate authentication" policy winning value.

C:\Temp\gpresult /h rep.htm

It may be applied from "Default Domain Controllers Policy" !!

Mehdi Imani
  • 11
  • 1