The issue:
Some customer environments may require that Venafi provisions certificates to applications on a server that is:
- Not joined to any domain
- Behind a firewall
- In a DMZ or other segmented network area
Initial attempts to connect will throw the following errors:
"Connecting to remote server remoteservername.lol failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic."
and
"Connecting to remote server remoteservername.lol failed with the following error message : WinRM cannot process the request. The following error with error code 0x8009030e occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated.
This can occur if the provided credentials are not valid on the target server, or if the server identity could not be verified. If you trust the server identity, add the server name to the TrustedHosts list, and then retry the request. Use winrm.cmd to view or edit the TrustedHosts list. Note that computers in the TrustedHosts list might not be authenticated. For more information about how to edit the TrustedHosts list, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic."
The Cause:
The underlying issue is that Venafi is attempting to connect using Kerberos authentication to an endpoint that is relying on NTLM for authentication.
The Solution:
A resolution to this issue is available here. This resolution may need some tweaking to make it more usable in a production environment.
What first needs to be done is to add the destination server's hostname to the TPP server's Trusted Hosts folder. The documentation recommends the following command:
winrm set winrm/config/client '@{TrustedHosts="*"}'
This is not a very secure solution. The change is easy, just replace the asterisk with the hostname of the destination server so it looks like this:
winrm set winrm/config/client '@{TrustedHosts="DestinationServerHostname"}'
Then verify the hostlist has been updated by running:
Get-Item WSMan:\localhost\Client\TrustedHosts
Next make sure that the credential the application will use has sufficient permissions to perform Venafi-related tasks on the destination server. Since it's a local account on a Workgroup machine, it doesn't need to have any kind of special formatting applied.
All these things should allow Venafi to successfully connect to a segmented Workgroup server and provision to it.
Comments