Skip to content

Fix GPO requirements in Kerberos WinRM how-to #1820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fdevans merged 2 commits into from
Jun 16, 2026
+14 βˆ’9
Merged

Fix GPO requirements in Kerberos WinRM how-to #1820

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
da5b4cf
fixing some mistakes from previous PR
jgarces-pd Jun 16, 2026
d43e0ba
Fixing warning wording.
jgarces-pd Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 14 additions & 9 deletions docs/learning/howto/how2winrm-rundeck.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,18 +268,23 @@ The following Group Policy settings are required on the Windows nodes. All crede

| Policy | Value |
|---|---|
| Allow delegating default credentials | Enabled β€” server list: `WSMAN/*` |
| Allow delegating fresh credentials | Enabled β€” server list: `WSMAN/*` |
| Allow delegating saved credentials | Enabled β€” server list: `WSMAN/*` |
| Allow delegating default credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*` |
| Allow delegating fresh credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*` |
| Allow delegating saved credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*` |
| WinRM Client > Allow Kerberos authentication | Enabled |
| WinRM Service > Allow Kerberos authentication | Enabled |
| Allow delegating default credentials | Enabled β€” server list: `WSMAN/*.yourdomain.com` |
| Allow delegating fresh credentials | Enabled β€” server list: `WSMAN/*.yourdomain.com` |
| Allow delegating saved credentials | Enabled β€” server list: `WSMAN/*.yourdomain.com` |
| Allow delegating default credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*.yourdomain.com` |
| Allow delegating fresh credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*.yourdomain.com` |
| Allow delegating saved credentials with NTLM-only server authentication | Enabled β€” server list: `WSMAN/*.yourdomain.com` |

**Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management**

| Policy | Value |
|---|---|
| WinRM Client > Disallow Kerberos authentication | Disabled |
| WinRM Service > Disallow Kerberos authentication | Disabled |

The first three policies cover credential delegation when the target server authenticates via **Kerberos**. The `NTLM-only` variants cover the same delegation but when the server falls back to **NTLM** β€” which can happen when Kerberos is temporarily unavailable, a DNS issue prevents SPN resolution, or a node is not yet fully enrolled in the domain. Enabling both sets ensures delegation works reliably across all nodes regardless of which authentication protocol is negotiated.

> **Important:** Always use `WSMAN/*` (not `WSMAN/*.yourdomain.com`) in the server list. A domain-scoped value is a common mistake when exporting and importing GPOs between domains β€” it will silently block credential delegation for any node outside the original domain.
> **Important:** Always use `WSMAN/*.yourdomain.com` (not `WSMAN/*`) in the server list. Scoping to your domain restricts credential delegation to your own servers only, reducing the risk of credentials being delegated to an untrusted host.

### Verifying Kerberos Configuration

Expand Down
Loading