In some cases a PowerShell script may need to access resources outside of the Secret Server machine. This requires that the credentials be delegated to the target machine. Secret Server runs PowerShell scripts using WinRM, which does not allow credential delegation by default. In order to allow credential delegation, the Secret Server machine must have CredSSP enabled. The Credential Security Support Provider (CredSSP) is a Security Support Provider that allows a client to delegate credentials to a target server.
Here are some examples of scenarios that will require CredSSP:
- The script needs to query or update a value in Active Directory.
- The script needs to query or update a value in a SQL Server instance.
Enabling CredSSP For WinRM in Secret Server
Configuring CredSSP For WinRM on the Secret Server Machine
- Go to Administration -> Configuration.
- Click Edit.
- Check "Enable CredSSP Authentication for WinRM" and Save.
Ensure that the "Allow Delegating Fresh Credentials" Group Policy setting is enabled and is not disabled by a Domain Policy.
- Log on to the machine that is running Secret Server.
- Run Windows PowerShell as an Administrator.
- Enable client-side CredSSP by running:
Enable-WSManCredSSP -Role Client -DelegateComputer <Secret Server fully qualified machine name>
- Enable server-side CredSSP by running:
Enable-WSManCredSSP -Role Server
Enabling CredSSP on a Secret Server Agent for use with PowerShell Script Dependencies
- Open gpedit.msc on your Secret Server machine.
- Navigate to Computer Settings > Administrative Templates > System > Credentials Delegation
- Edit the "Allow Delegating Fresh Credentials" setting.
- Verify that it is Enabled.
- Click "Show..."
- Verify that the list contains an entry that begins with "wsman/" and ends with the fully qualified machine name of the Secret Server machine.
NOTE: Remote Agents are only needed to connect to networks that are not directly connected to
the network that Secret Server is installed on. If you are not using Remote Agents, you can disregard this section.
By default, the Secret Server Agent will inherit the "Enable CredSSP Authentication for WinRM" setting from Secret Server. However, this can be overridden in the config file as follows:
- On the machine running the agent, locate the the Secret Server Agent program files (Default: C:\Program Files (x86)\Thycotic Software Ltd\Secret Server Agent).
- Edit SecretServerAgentService.exe.Config in a text editor.
- Locate the section called UnencryptedSettings
- Add a new key to that section for EnableCredSSPForWinRM and set it to true. For example:
<add key="EnableCredSSPForWinRM" value="true" />
- Restart the Secret Server Agent service to apply the setting.