Summary:
This article describes how to configure permissions for machines in a domain to avoid the NetUserGetInfo: Access is denied
issue when you use Windows Centralized Agent Management (CAM) to install or upgrade Windows remote agents.
Windows CAM is introduced in CloudBees CD (CloudBees Flow) 7.0. For more information about using Windows CAM, see the "Installing or Upgrading Remote Agents" section in the "Automation Platform" chapter of the CloudBees CD (CloudBees Flow) 7.0 User Guide.
Solution:
To fix this problem, you configure multi-hop support for Windows Remote Management (WinRM) by enabling the Credential Security Support Provider (CredSSP) protocol. You do so on the CAM driving resource (the WinRM client) machine and on each target host (each WinRM server). This allows Windows to delegate credentials and is needed if the agent user is a domain user on the target machines.
Configuring the CAM Driving Resource
You can use the command line or the Local Group Policy Editor.
Enabling CredSSP on the WinRM Client
On the CAM driving resource (the WinRM client) machine, open a command window and enable CredSSP by entering
winrm set winrm/config/client/auth @{CredSSP="true"}
If you do not have permission to do so, contact your system administrator.
Enabling the AllowFreshCredentials Policy on the WinRM Client
-
On the (Windows) CAM driving resource (the WinRM client) machine, start the Local Group Policy Editor:
-
Click Start > All Programs > Accessories , and then click Run .
-
Type
gpedit.msc
in the text box, and then click OK .
-
-
In the Local Group Policy Editor, click
, and then do one of the following:-
If the Windows CAM driving resource is in the same Windows domain as
the target hosts on which you want to install the agent, double-click the
Allow Delegating Fresh Credentials policy. -
If the Windows CAM driving resource is not in the same Windows
domain as the target hosts on which you want to install the agent,
double-click the Allow Delegating Fresh Credentials with NTLM-only Server Authentication policy.
-
-
Click the Enabled radio button.
-
Add the SPNs for the target hosts to the list by entering the following for each host:
WSMAN/..com
For example, enter
WSMAN/machine1.mydomain.com
An SPN represents a target host to which the user credentials will be delegated.
You cannot specify IP addresses. You can use
WSMAN/*.
.com to allow all machines in the specified domain to delegate the credentials from this client. -
Click OK.
If you do not have permission to perform these steps, contact your system administrator.
(Optional) Verify that CredSSP is Enabled
To verify that CredSSP is enabled, use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:
The machine is configured to allow delegating fresh credentials to the following target(s):wsman/hostname.testdomain.com This computer is not configured to receive credentials from a remote client computer.
Configuring Each Target Host
Enabling CredSSP on Each WinRM Server
On each target host (each WinRM server), complete the following steps:
-
Ensure that a WinRM HTTPS or HTTP listener is configured.
-
Open a command window and enable CredSSP by entering
winrm set winrm/config/service/auth @{CredSSP="true"}
This allows the host to act as a delegate.
If you do not have permission to perform these steps, contact your system administrator.
(Optional) Verifying that CredSSP is Enabled on a WinRM Server
To verify that CredSSP is enabled on any target host (any WinRM server), use the PowerShell cmdlet Get-WSManCredSSP. If it is enabled, a message similar to the following appears:
The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.