Differences

This shows you the differences between two versions of the page.

--- juju-manual [2016/12/08 19:16]
sgiulitti [This is how would look if both listeners are enabled]
+++ juju-manual [2016/12/08 21:52]
sgiulitti [Step 2]
@@ Line 80: / Line 80: @@
 winrm quickconfig
 # this will let us use the http listener with password auth
 winrm set winrm/config/service '@{AllowUnencrypted="true"}'
+winrm set winrm/config/client '@{TrustedHosts="*"}'
+winrm set winrm/config/client/auth '@{Basic="true"}'
+winrm set winrm/config/client/auth '@{Certificate="true"}'
+winrm set winrm/config/service/auth '@{Basic="true"}'
+winrm set winrm/config/service/auth '@{Certificate="true"}'
+winrm set winrm/config/service '@{AllowRemoteAccess="true"}'
 </code>
@@ Line 107: / Line 113: @@
 C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass:
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My
+############################################################################################
+# THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root
+############################################################################################
+winrm set winrm/config/service/auth '@{Certificate="true"}'
+winrm set winrm/config/client/auth '@{Certificate="true"}'
 winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}'
 netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
@@ Line 154: / Line 165: @@
 </code>
+======= Manually adding the Client certs on the target windows machine ======
+Pop up a powershell windows and type these lines with your own credentials in it.
+<code powershell>
+$username = "Administrator"
+$password = "Pa$$sword"
+$pfx_password = "SomePfxPassword"
+$certThumb = "PASTE-HERE-CLIENT-CERT-THUMBPRINT"
+$CN = "CN OF THE CLIENT CERT"
+$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
+$pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force
+Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\My -Passsword $pfx_secure_password
+Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Passsword $pfx_secure_password
+$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
+# CREATE WINRM CERT MAPPING
+New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force
+# Test client connection with client cert auth without skipping the CA
+Test-WSMan -ComputerName $env:COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb
+# test client connection with client cert auth and skip the CA verification and CN check
+$opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck
+Enter-PSSession -ComputerName $env:COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt
+# Remove Client mapping (in case you want to remove it)
+# THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN
+Remove-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null
+</code>

Cloudbase Solutions Wiki

User Tools

Site Tools

Differences

Page Tools