Cluster Update asking to enable CredSSP

Copper Contributor

I installed Windows Admin Center, its great and working fine, but one of the things it advises me to do is to turn off CredSSP on servers, but when I use the Updates link on cluster page, it tells me that it needs to turn on CredSSP, is this a must? Or there is another way?

42 Replies
Yes, CredSSP is required for the update tool in either Failover or Hyper-Converged cluster manager.

@Jeff Woolslayer 

Do you have a procedure to enable the CredSSP options to allow Windows Admin Center to process cluster updates?

Hi @Paul Westervelt! I see you reached out via email as well. Someone should get back to you on that thread soon. 

 

The gist of it is that WAC should handle all the CredSSP configuration automatically. As a user, you shouldn't have to do anything (other than consent.)

@Jeff Woolslayer 

 

I think I"m seeing a similar issue.  credssp is simply not turning on automatically.  I get an error in WAC when I try and do updates or diagnostics stating "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings"

 

RBAC was off originally, but I tried turning it on (and adding my user to the admin list) and then turned it off, and neither way worked.  I even tried loggined into each server and running  Enable-WSManCredSSP -role server in powershell and that showed that it was enabled, but the updates and diagnostics still came back with the same error.  I"m running v1904 build 1.2.1904.11004 on a windows 2019 server that I"m connecting to with a windows10 desktop and trying to manage a S2D hyperconvered cluster running 2019.

@oikjn 

 

Can you tell me a little more about your desktop/gateway machine?  There is a local group called "Windows Admin Center CredSSP Admins" -- can you tell me if your identity is a member of this group?  Can you tell me which locale you are using on this machine?  And -- can you run the following command in an elevated PowerShell console on this machine and reply with the results:

 

Enable-WSManCredSSP - Role Client -DelegateComputer <The FQDN of one of the cluster nodes>

 

Cheers!

 

Galen

 

Hi @galenb I have the same problem, I run the comand and this is the result.

 

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

@galenb 

 

I too have the same issues and get the same return after setting up each node in one of our clusters:

cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang : en-US
Basic : true
Digest : true
Kerberos : true
Negotiate : true
Certificate : true
CredSSP : true

@John Barreto 

 

Thanks, what about the other questions I asked?  Also, can I have the output from Get-WSManCredSSP?

 

Also service mode or desktop mode?

@tcook37402 

 

Can you look at my reply to John Barreto?  I have the same question for you too...

@galenb 

 

Another me too.   We run Enable-WSManCredSSP on all 4 nodes and get 

 

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

 

We are trying to use the Windows Admin Centre Update tool but can not get beyond the "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings".

 

Each node has RBAC applied and CredSSP is enabled and showing its orange badge.

 

Hope someone has some suggestions.

@galenb 

 

sorry I didn't see the notice of the reply from you.  I have a 2019 server VM setup to run WAC and connect to that through my desktop.  I am logging in on the WAC webpage as a domain administrator account.  

 

my desktop doesn't have the group you mentioned, but the WAC computer does and the admin account I use is listed in it.  I ran the command you asked on the WAC computer and tried again and still have the same error.  I did it for both nodes of the cluster and both came back with basic/digest/deberos/negotiate/certificate/credssp all equal to true and cfg:http://schemas.microsoft.com/wbem/wsman/1/config/client/auth  (sorry... couldn't copy/past from VM console).

 

edit:  I just updated to 1904.1 and retried...  same results.

Same here. i has been on every single version of WAC for my cluster. ever since upgraded to 1902, it has been broken! 

just upgraded to WAC1906, same problem!

 

Why cant just someone design error message that is human understandable and suggested action to be able to fix? 

 

Enabling CredSSP Delegation

10:38:34 PM
Type

Error

Message

Couldn't determine if the current user is a member of the Windows Admin Center CredSSP Administrators group. Error: Connecting to remote server wac1 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the wac1 computer. For more information, see the about_Remote_Troubleshooting Help topic.

@galenb  I also have this issue. Setup brand new WAC server on Windows 2019. Added a cluster and all 3 nodes to WAC. On the WAC gateway machine, ran the "Enable-WSManCredSSP" command to all three nodes. output says "true" for all after it runs. On the gateway machine, when I run "Get-WSManCredSSP" on it, I get:
```
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
```

I have verified that my userID is in the group mentioned for WAC CredSSP Admins" as well.

 

Any other ideas?

Same issue.  All nodes in cluster running WS2019 (March Update). WAC version is 1907 build 1.2.1906.28002.

 
 

Same issue here. It would be nice if there was an official guide to make this work. The way I am trying to set it up is have a centralized WAC VM running 2019 with the latest extension versions and we all connect to it from our respective Windows 10 clients. I am trying to use the Diagnostics module 1.1.10 the Hyper-Converged Cluster Manager to connect to an S2D 2019 cluster. While the module installs fine, the problem comes up in notifications of the following:

 

Error

Enable delegation


Source - Go to Diagnostics
Type

Error

Message

The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings"

 

The user I am trying to use is in the local "Windows Admin Center CredSSP Admins" group on the WAC and the enable-wsmancredssp -role client -delegatecomputer (nodes) has been completed successfully. I even added it to the SDDC instances and failover cluster instance FQDNs. Still does the same thing every time.

 

 

I'm having the same issue. It says access is blocked based on the RBAC settings, but the thing is; I don't even have RBAC enabled since this is a lab.

@Haribo 

 

I need more info about your gateway setup...

 

Desktop or service mode?

 

What is the execution policy of you gateway machine?  RemoteSigned. AllSigned, etc...

 

Are your connections FQDN or IP addresses?

 

TIA!

 

Galen

@Reng Kwan 

 

WAC is a never-ending battle for us it seems.

 

We too were receiving the error, "Couldn't determine if the current user is a member of the Windows Admin Center CredSSP Administrators group. Error: Connecting to remote server wac1 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the wac1 computer. For more information, see the about_Remote_Troubleshooting Help topic."

 

We had this problem when we tried to use the HCI Updates and Diagnostics features, two features that rely on CredSSP, as well as when we tried to connect to the WAC server (itself) via Computer Management in WAC. 

 

We tracked this down to having IPv6 enabled. When we ran `Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6` We could connect to the server.

 

However, after spending 6 hours figuring that out, we still couldn't use The HCI Updates and Diagnostics features (which we need because our HCI cluster also doesn't work correctly and we need to use Diagnostics to troubleshoot it). Now we're getting a different error, "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings." 

 

So I've kind of given up. There is even less I can find online for this problem. And this is the only posting I've found. 

@galenb running in service mode on one of the cluster nodes. ExecutionPolicy was not changed from what it is by default. Connections were FQDN.