1
00:00:01,340 --> 00:00:04,440
[Autogenerated] in this demonstration, we'll have a look at solving the Kerberos.

2
00:00:04,440 --> 00:00:07,340
Second hot problem with credit SSP and then move

3
00:00:07,340 --> 00:00:09,340
into just enough administration.

4
00:00:09,340 --> 00:00:12,870
I'm on a machine here, let's do a host name called VM one.

5
00:00:12,870 --> 00:00:15,690
It's part of my active directory domain.

6
00:00:15,690 --> 00:00:19,680
And first to verify the problem, let's take a look at my code file by the way,

7
00:00:19,680 --> 00:00:22,440
all of my code files are in the exercise files,

8
00:00:22,440 --> 00:00:28,320
lets enter a PowerShell remoting session with VM to and then from that context,

9
00:00:28,320 --> 00:00:31,870
let's attempt to invoke a command on VM three.

10
00:00:31,870 --> 00:00:35,420
Now we want that to happen using delegated credentials.

11
00:00:35,420 --> 00:00:37,970
That is my tIM account but we're going to see if we

12
00:00:37,970 --> 00:00:40,110
paste this in an attempt to run it.

13
00:00:40,110 --> 00:00:44,240
It bombs out because there's no delegation happening by default.

14
00:00:44,240 --> 00:00:48,240
So what we're going to do is enable cred SSP both for

15
00:00:48,240 --> 00:00:50,530
the local computer in the client role.

16
00:00:50,530 --> 00:00:56,080
And we're going to delegate VM two dot tim w dot info to handle our credentials.

17
00:00:56,080 --> 00:00:58,700
Let me click exit to close my remote session.

18
00:00:58,700 --> 00:01:02,860
And what we're going to do to solve this problem is on line 11.

19
00:01:02,860 --> 00:01:06,860
We're going to configure the local computer with the credit SSP client

20
00:01:06,860 --> 00:01:12,040
role in the delegate computer is going to be VM to that's going to be

21
00:01:12,040 --> 00:01:15,400
configured as the Ws MAN cred SSP servers.

22
00:01:15,400 --> 00:01:18,940
So let me right click run this and then I can verify my cred

23
00:01:18,940 --> 00:01:24,460
SSP settings with get Ws man cred SSP and it's telling us here

24
00:01:24,460 --> 00:01:28,050
the machine is configured to allow delegating fresh credentials

25
00:01:28,050 --> 00:01:29,440
to the following target,

26
00:01:29,440 --> 00:01:33,330
but it's not configured to receive credentials for a remote

27
00:01:33,330 --> 00:01:36,690
computer in order to set up our second computer.

28
00:01:36,690 --> 00:01:38,340
VM two is a server.

29
00:01:38,340 --> 00:01:42,570
I can do this, I'm going to do let me adjust this code a little bit.

30
00:01:42,570 --> 00:01:46,570
I'm going to again do and invoke command against VM to and I'm going to

31
00:01:46,570 --> 00:01:50,910
specify enable Ws man cred SSP in the role of server.

32
00:01:50,910 --> 00:01:53,710
So let me right click this, click run good deal.

33
00:01:53,710 --> 00:01:55,590
And so now to test this out,

34
00:01:55,590 --> 00:02:00,890
let's do a enter PS session and notice that I'm specifying authentication.

35
00:02:00,890 --> 00:02:03,270
Credit SSP, right-click run.

36
00:02:03,270 --> 00:02:07,430
This is going to provide my credentials here like that in interactively and

37
00:02:07,430 --> 00:02:11,550
now that I'm on VM to I can do this invoke command again.

38
00:02:11,550 --> 00:02:14,700
Let me copy this to my clipboard me clear the screen,

39
00:02:14,700 --> 00:02:18,040
right click paste that in and we get results back.

40
00:02:18,040 --> 00:02:18,960
So there it is.

41
00:02:18,960 --> 00:02:20,490
Now, if you're wondering, oh,

42
00:02:20,490 --> 00:02:24,490
what if one of my colleagues has enabled this client server cred

43
00:02:24,490 --> 00:02:28,020
SSP and then you decide that you want to do constrained Kerberos

44
00:02:28,020 --> 00:02:31,300
delegation in a more secure way, Can you disable or remove it?

45
00:02:31,300 --> 00:02:31,930
Absolutely.

46
00:02:31,930 --> 00:02:34,830
You can first let me exit my PS session.

47
00:02:34,830 --> 00:02:36,340
So I don't forget to do that.

48
00:02:36,340 --> 00:02:38,390
I scroll down in the script file,

49
00:02:38,390 --> 00:02:43,270
you can see I've got disabled Ws man cred SSP role client

50
00:02:43,270 --> 00:02:47,640
and then we could if we wanted to disable Ws MAN cred SSP

51
00:02:47,640 --> 00:02:51,000
in the server role as well. Makes sense