To get this to work, you must configure both your local and remote computers.
On the remote server, run the following command:
Enable-WSManCredSSP -Role server
You’ll know things are confgured correctly if you run the Get-WSManCredSSP cmdlet and get the following output:
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
On your local computer, from an Administrative PowerShell prompt, you need to allow credential delegation in PowerShell. Run the following command:
Enable-WSManCredSSP -Role Client -DelegateComputer <REMOTE_COMPUTER_NAME>
You can enable all servers by using * for REMOTE_COMPUTER_NAME.
You’ll know this is configured correctly when you run Get-WSManCredSSP and get the following output:
The machine is configured to allow delegating fresh credentials to the following target(s): wsman/REMOTE_SERVER_NAME
This computer is not configured to receive credentials from a remote client computer.
On your local machine, update Group Policy to allow your credentials to be delegated to the remote server.
- Open gpedit.msc and browse to Computer Configuration > Administrative Templates > System > Credentials Delegation.
- Double-click “Allow delegating fresh credentials with NTLM-only Server Authentication”.
- Enable the setting and add the build server to the server list as WSMAN/BuildServerName. (You can enable all servers by entering WSMAN/*.)
Then, when you need to run your command on the remote server, you can’t use any of the *-PSSession commands because CredSSP can’t use cached credentials. You have to start the session using Invoke-Command, and use CredSSP as the value to the Authentication parameter, like so:
Invoke-Command -ScriptBlock { # remote commands here } `
-ComputerName <REMOTE_COMPUTER_NAME> `
-Authentication CredSSP `
-Credential <USERNAME>