KBEC-00353 - Enabling Multi-Hop Support for Windows Remote Management Before Installing or Upgrading Remote Agents

Article ID:360032826672
3 minute readKnowledge base

Summary:

This article describes how to configure permissions for machines in a domain to avoid the NetUserGetInfo: Access is denied issue when you use Windows Centralized Agent Management (CAM) to install or upgrade Windows remote agents.

Windows CAM is introduced in CloudBees CD (CloudBees Flow) 7.0. For more information about using Windows CAM, see the "Installing or Upgrading Remote Agents" section in the "Automation Platform" chapter of the CloudBees CD (CloudBees Flow) 7.0 User Guide.

Solution:

To fix this problem, you configure multi-hop support for Windows Remote Management (WinRM) by enabling the Credential Security Support Provider (CredSSP) protocol. You do so on the CAM driving resource (the WinRM client) machine and on each target host (each WinRM server). This allows Windows to delegate credentials and is needed if the agent user is a domain user on the target machines.

Configuring the CAM Driving Resource

You can use the command line or the Local Group Policy Editor.

Enabling CredSSP on the WinRM Client

On the CAM driving resource (the WinRM client) machine, open a command window and enable CredSSP by entering

   winrm set winrm/config/client/auth @{CredSSP="true"}

If you do not have permission to do so, contact your system administrator.

Enabling the AllowFreshCredentials Policy on the WinRM Client

  1. On the (Windows) CAM driving resource (the WinRM client) machine, start the Local Group Policy Editor:

    1. Click Start > All Programs > Accessories , and then click Run .

    2. Type gpedit.msc in the text box, and then click OK .

  2. In the Local Group Policy Editor, clickComputer Configuration  Administrative Templates  System  Credentials Delegation , and then do one of the following:

    • If the Windows CAM driving resource is in the same Windows domain as
      the target hosts on which you want to install the agent, double-click the
      Allow Delegating Fresh Credentials policy.

    • If the Windows CAM driving resource is not in the same Windows
      domain as the target hosts on which you want to install the agent,
      double-click the Allow Delegating Fresh Credentials with NTLM-only Server Authentication policy.

  3. Click the Enabled radio button.

  4. Add the SPNs for the target hosts to the list by entering the following for each host:

        WSMAN/..com

    For example, enter

        WSMAN/machine1.mydomain.com

    An SPN represents a target host to which the user credentials will be delegated.

    You cannot specify IP addresses.

    You can use WSMAN/*..com to allow all machines in the specified domain to delegate the credentials from this client.

  5. Click OK.

If you do not have permission to perform these steps, contact your system administrator.

(Optional) Verify that CredSSP is Enabled

To verify that CredSSP is enabled, use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:

The machine is configured to allow delegating fresh credentials to the
following target(s):wsman/hostname.testdomain.com
This computer is not configured to receive credentials from a remote
client computer.

Configuring Each Target Host

Enabling CredSSP on Each WinRM Server

On each target host (each WinRM server), complete the following steps:

  1. Ensure that a WinRM HTTPS or HTTP listener is configured.

  2. Open a command window and enable CredSSP by entering

        winrm set winrm/config/service/auth @{CredSSP="true"}

    This allows the host to act as a delegate.

If you do not have permission to perform these steps, contact your system administrator.

(Optional) Verifying that CredSSP is Enabled on a WinRM Server

To verify that CredSSP is enabled on any target host (any WinRM server), use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:

The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote
client computer.

References

The procedures in this article are adapted from the following articles on the Microsoft Developer Network website:

Applies to:

CloudBees CD (CloudBees Flow) versions 7.0 and newer on supported Windows platforms.