Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception when using Get-CATemplate in a remote session #227

Open
michaeldcanady opened this issue Jan 21, 2025 · 5 comments
Open

Exception when using Get-CATemplate in a remote session #227

michaeldcanady opened this issue Jan 21, 2025 · 5 comments

Comments

@michaeldcanady
Copy link

I am trying to fetch CA templates while is a PSRemoteSession, and I get the following exception:

> Connect-CertificationAuthority -ComputerName "<host FQDN>" | Get-CATemplate
New-Object : Exception calling ".ctor" with "1" argument(s): "An operations error occurred.
"
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\4.2.0\Server\Get-CATemplate.ps1:14 char:13
+             New-Object PKI.CertificateServices.CATemplate -ArgumentLi ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
@Crypt32
Copy link
Collaborator

Crypt32 commented Jan 21, 2025

PSPKI is not officially supported in remote sessions, because it establishes remote connections internally and you run into "double hop" issue. You can try to use CredSSP in remote session, however it is not supported. You should use PSPKI locally and specify remote servers in -ComputerName parameter in applicable commands.

@michaeldcanady
Copy link
Author

michaeldcanady commented Jan 21, 2025
edited
Loading

We're using Ansible for provisioning which requires a remote connection using WinRM. This is the only Cmdlet so far we've had this issue with.

@Crypt32
Copy link
Collaborator

Crypt32 commented Jan 21, 2025

Try it in remote session with CredSSP. Connect-CertificationAuthority makes connections to AD, which causes "double hop" and CredSSP should overcome this issue.

@michaeldcanady
Copy link
Author

we're hesitant to enable CredSSP, out of curiosity would the double hop be avoided with Get-CertificationAuthority or does that use remote connections as well?

@Crypt32
Copy link
Collaborator

Crypt32 commented Jan 22, 2025

we're hesitant to enable CredSSP, out of curiosity would the double hop be avoided with Get-CertificationAuthority or does that use remote connections as well?

Get-CertificationAuthority and Connect-CertificationAuthority are almost identical with the exception that Get- connects to all discoverable CA servers, while Connect- only to local or specified. That is, replacing the command will not solve your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crypt32 @michaeldcanady