From da5b4cf9e20da69eb271cc0a2f2c901a154cfb8d Mon Sep 17 00:00:00 2001 From: jgarces-pd <74255967+jgarces-pd@users.noreply.github.com> Date: Tue, 16 Jun 2026 12:04:04 -0400 Subject: [PATCH 1/2] fixing some mistakes from previous PR fixing GPO --- docs/learning/howto/how2winrm-rundeck.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/docs/learning/howto/how2winrm-rundeck.md b/docs/learning/howto/how2winrm-rundeck.md index 3356b2298..12e561981 100644 --- a/docs/learning/howto/how2winrm-rundeck.md +++ b/docs/learning/howto/how2winrm-rundeck.md @@ -268,18 +268,23 @@ The following Group Policy settings are required on the Windows nodes. All crede | Policy | Value | |---|---| -| Allow delegating default credentials | Enabled — server list: `WSMAN/*` | -| Allow delegating fresh credentials | Enabled — server list: `WSMAN/*` | -| Allow delegating saved credentials | Enabled — server list: `WSMAN/*` | -| Allow delegating default credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*` | -| Allow delegating fresh credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*` | -| Allow delegating saved credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*` | -| WinRM Client > Allow Kerberos authentication | Enabled | -| WinRM Service > Allow Kerberos authentication | Enabled | +| Allow delegating default credentials | Enabled — server list: `WSMAN/*.yourdomain.com` | +| Allow delegating fresh credentials | Enabled — server list: `WSMAN/*.yourdomain.com` | +| Allow delegating saved credentials | Enabled — server list: `WSMAN/*.yourdomain.com` | +| Allow delegating default credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*.yourdomain.com` | +| Allow delegating fresh credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*.yourdomain.com` | +| Allow delegating saved credentials with NTLM-only server authentication | Enabled — server list: `WSMAN/*.yourdomain.com` | + +**Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management** + +| Policy | Value | +|---|---| +| WinRM Client > Disallow Kerberos authentication | Disabled | +| WinRM Service > Disallow Kerberos authentication | Disabled | The first three policies cover credential delegation when the target server authenticates via **Kerberos**. The `NTLM-only` variants cover the same delegation but when the server falls back to **NTLM** — which can happen when Kerberos is temporarily unavailable, a DNS issue prevents SPN resolution, or a node is not yet fully enrolled in the domain. Enabling both sets ensures delegation works reliably across all nodes regardless of which authentication protocol is negotiated. -> **Important:** Always use `WSMAN/*` (not `WSMAN/*.yourdomain.com`) in the server list. A domain-scoped value is a common mistake when exporting and importing GPOs between domains — it will silently block credential delegation for any node outside the original domain. +> **Important:** Always use `WSMAN/*.yourdomain.com` (not `WSMAN/*`) in the server list. A domain-scoped value improves server security. ### Verifying Kerberos Configuration From d43e0bade8da1c167fe6feae0649c2cbb30611e0 Mon Sep 17 00:00:00 2001 From: jgarces-pd <74255967+jgarces-pd@users.noreply.github.com> Date: Tue, 16 Jun 2026 12:15:06 -0400 Subject: [PATCH 2/2] Fixing warning wording. --- docs/learning/howto/how2winrm-rundeck.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/learning/howto/how2winrm-rundeck.md b/docs/learning/howto/how2winrm-rundeck.md index 12e561981..93d987048 100644 --- a/docs/learning/howto/how2winrm-rundeck.md +++ b/docs/learning/howto/how2winrm-rundeck.md @@ -284,7 +284,7 @@ The following Group Policy settings are required on the Windows nodes. All crede The first three policies cover credential delegation when the target server authenticates via **Kerberos**. The `NTLM-only` variants cover the same delegation but when the server falls back to **NTLM** — which can happen when Kerberos is temporarily unavailable, a DNS issue prevents SPN resolution, or a node is not yet fully enrolled in the domain. Enabling both sets ensures delegation works reliably across all nodes regardless of which authentication protocol is negotiated. -> **Important:** Always use `WSMAN/*.yourdomain.com` (not `WSMAN/*`) in the server list. A domain-scoped value improves server security. +> **Important:** Always use `WSMAN/*.yourdomain.com` (not `WSMAN/*`) in the server list. Scoping to your domain restricts credential delegation to your own servers only, reducing the risk of credentials being delegated to an untrusted host. ### Verifying Kerberos Configuration