Enabling CredSSP authentication

Enabling CredSSP authentication

Why is CredSSP needed?

CredSSP delegates the users' credentials from one computer to another remote computer. Use CredSSP authentication when the Remote Server is present in a different domain other than that of the Applications Manager server domain. This is used for Active Directory, SharePoint Server and Exchange Server monitors to monitor some specific metrics.

How to enable CredSSP authentication?

Perform the following steps on the Remote Server:
  1. Open Windows PowerShell as Administrator and execute the below commands in the Administrator PowerShell: 
    Enable-WSManCredSSP -Role Server
  1. Open gpedit.msc and go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
                  - Enable Encryption Oracle Remediation and set Protection Level to Mitigated (Optional)

Perform the following steps on the Applications Manager Server:
Replace <HostName> with the hostname of the Remote Server.
  1. Open Windows PowerShell as Administrator and execute the below commands in the Administrator PowerShell: 
    Enable-WSManCredSSP -Role client -DelegateComputer <HostName>
  1. Open gpedit.msc and go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation.
                  - Enable Allow delegating fresh credentials and set value "wsman/<HostName>"
                  - Enable Allow delegating fresh credentials with NTLM-only server authentication and set value "wsman/<HostName>"

Follow the below steps in Applications Manager installed server to verify:
  1. In the Administrator PowerShell, execute the below command:
$testSession= New-PSSession -ComputerName <HostName> -Authentication Credssp -Credential Get-Credential
  1. If Session is created without any error, enable the Use CredSSP authentication option in the Edit Monitor page and update the monitor.

Where to use CredSSP?

  1. For Diagnostic Tests in Active Directory monitor when the AD server is a non-primary domain controller present in a domain other than that of the Applications Manager domain.
  2. For SharePoint Server monitoring in PowerShell mode, when the SharePoint Server is present in a domain other than that of the Applications Manager domain.
  3. For Queues in non-Mailbox role Exchange Server monitors added in PowerShell mode.

      New to ADSelfService Plus?

        Resources

            • Related Articles

            • Error : Unable to fetch Exchange Queues as CredSSP authentication is needed

              This error occurs in Exchange Server monitor for non-mailbox roles when Queues monitoring is enabled. This usually occurs when the Applications Manager-installed server and the Exchange Server are present in different domains. You need to use CredSSP ...
            • Troubleshooting Authentication Failed error

              Authentication Failure Authentication failure occurs when the request to a resource is missing or has invalid credentials.  Check if URL requires authentication Access the URL in an incognito/private window and check if any pop up asking for ...
            • Error : Unable to fetch Exchange Queues

              If this error occurs in the Exchange Server monitor, follow the below steps: Check whether all the prerequisites for Exchange server are implemented. For non-mailbox roles, if CredSSP authentication is enabled, check whether the prerequisites for ...
            • Authentication Methods in Applications Manager

              Authentication involves validating an incoming user to facilitate the access to a specific resource. There are various authentication methods that you can use - based on the requirements and usage. In recent times, numerous organizations are ...
            • Error : Unable to create remote PowerShell session

              If this error occurs in Exchange Server monitor, follow the below steps: Check whether all the prerequisites for Exchange server are implemented. For Queues monitoring in non-mailbox roles, if CredSSP authentication is enabled, check whether ...