Troubleshooting Remote PowerShell and CredSSP

Tools Machine Policy

1. Firstly on the Tools machine ensure the following polices have been configured. Open GPEDIT.MSC

2. Computer Configuration > Administrative Templates > System > Credentials Delegation

3.
4. Double Click on Allow Delegating Fresh Credentials
5. Select Enabled and the click Show

6. Repeat process 1 to 5 for Allow Delegating Fresh Credentials with NTLM-only Server
Authentication

7. IMPORTANT NOTE: If Central Administration Server is called SPAPP1 and the fully qualified
domain name is contoso.local.com then the setting should look like:
WSMAN/SPAPP1.contoso.local.com
Target Machine Policy

1. We will no repeat the steps on the target server above, only now we want to ensure that the Target
Server has a delegation route to the Tools Machine. On one the Target Server (Usually the
SharePoint Server running Central Administration) ensure the following polices have been
configured. Open GPEDIT.MSC

2. Computer Configuration > Administrative Templates > System > Credentials Delegation

3.
4. Double Click on Allow Delegating Fresh Credentials
5. Select Enabled and the click Show

6. IMPORTANT NOTE: If Tools Machine is called tools1 and the fully qualified domain name is
contoso.local.com then the setting should look like: WSMAN/tools1.contoso.local.com

Validation of Delegation of Fresh Credentials

7. Validating policy in the registry. There maybe cases where the policy for a reason is not written to
the registry. To check and ensure that credentials are allowed for delegation check registry:

HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCre
dentialsDomain
8. Ensure all Keys in the AllowFreshCredentials* are checked, and that they have a WSMAN key
configured.

9. If the value is blank you can use an example to populate:

Set-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCreden
tialsDomain -Name WSMan -Value "WSMAN/*.my.domain.com"
Configure Remote PowerShell

IMPORTANT NOTE: The steps below will require the names of the tools machine and the SharePoint
Server. In the example we will be using the names that were used in the previous section. Please note
that you will use your server name in the areas that are in bold red.

1. On the Tools Machine, launch PowerShell Prompt with the option Run as Administrator. And
run the following commands:

WinRM QuickConfig
Enable-WSManCredSSP -Role Client -DelegateComputer
spapp1.contoso.local.com -Force
Enable-PSRemoting Force

2. On the Target Server, launch PowerShell Prompt with the option Run as Administrator. And
run the following commands:

WinRM QuickConfig
Enable-WSManCredSSP -Role Server -Force
Enable-PSRemoting Force
winrm set winrm/config/winrs '@{MaxShellsPerUser="25"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'

3. Close any PowerShell session windows or run [System.GC]::Collect()

4. Check for remote PowerShell default ports are open. If Telnet Client is installed from Tools machine
run:
a. telnet SPSERVERNAME 5985
b. telnet SPSERVERNAME 5986

5. test-connection (remember to add correct server name) from the tools machine run:
$farm = Get-Credential
$s = New-PSSession -ComputerName spapp1.contoso.local.com -
Authentication CredSSP -Credential $farm
Invoke-Command -Session $s -ScriptBlock { add-pssnapin
Microsoft.SharePoint.PowerShell -ea 0 }
Invoke-Command -Session $s -ScriptBlock { get-spfarm }
Invoke-Command -Session $s -ScriptBlock { get-spcontentdatabase }
Get-PSSession | Remove-PSSession

6. Run the RaaS and it should be able to discover the SPFARM database in discovery, as well as PS
collectors running.
Additional Troubleshooting Steps
1. Check account is trusted in AD for delegation: If settings still do not work you just check the
account for delegation rights, as this can be a blocker. In Active Directory check the account
used to run the SPRaaS has the following settings enabled.