I am trying to connect to a remote server using a client certificate for authentication. I tried with the example at "winrm help certmapping" and I can see there is an entry in the mapping table

PS WSMan:\localhost\ClientCertificate> Get-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_982856142\*

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\ClientCertificate\ClientCertificate_982856142

Name                      Value                                                             Type
----                      -----                                                             ----
URI                       http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/*        System.String
Subject                   certadmin                                                         System.String
Issuer                    7922C0DB210B050F7C155127B552E4B85C8D5EDD                          System.String
UserName                  certadmin                                                         System.String
Enabled                   true                                                              System.String
Password                                                                                    System.String

However when I am trying to connect from the client computer to the remote server I am getting

PS C:\Documents and Settings\certadmin> New-PSSession -computername tokyo.domain.local -CertificateThumbprint $usercertThumbprint
[tokyo.domain.local] Connecting to remote server failed with the following error message : An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed

I am getting the same error even when I try to create a session on the server itself (I've installed the client certificate on the server as well)

Now "about_Remote_Troubleshooting" does not even mention authentication with certificates and I tried hard to find some advice on the net

Any thoughts?

Thanks !

Hi,

Are your systems in Domain? If so, CertificateThumbprint cannot work properly. Excerpt from:

New-PSSession
http://technet.microsoft.com/en-us/library/dd347668.aspx

"-CertificateThumbprint <string>
Specifies the digital public key certificate (X509) of a user account that has permission to perform this action. Enter the certificate thumbprint of the certificate.

Certificates are used in client certificate-based authentication. They can be mapped only to local user accounts; they do not work with domain accounts. "

Thanks

Does anybody know if this is still the case in PowerShell 3.0?

In case anyone runs across this thread again, I just hit this error, and it turned out that the password of the local user account associated with the certificate had expired.  One workaround, if you've carefully considered any security implications, is to disable password expiration for the local user account like this:

function SetUserPasswordNeverExpires($userName)
{
    $user = [adsi]"WinNT://$env:computername/$userName,user"
    if ($user.samaccountname -eq $null)
    {
        throw "Couldn't find the local user '$userName'.  Make sure the user exists."
    }
    $user.InvokeSet("UserFlags", ($user.UserFlags[0] -bxor 0x10000))
    $user.CommitChanges()
}

Ideally, the local user account should be single-purpose with zero rights, and the password should be a very long crypto-random string that gets forgotten immediately after being used to set up the ClientCertificate mapping in WinRM, so if someone is able to retrieve it, they've already compromised the box and could do worse stuff.  (Just my opinion - check your org's policies.)

----

This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Proposed as answer by Jonathan White [MSFT] 11 hours 0 minutes ago
• Edited by Jonathan White [MSFT] 10 hours 58 minutes ago

In case anyone runs across this thread again, I just hit this error, and it turned out that the password of the local user account associated with the certificate had expired.  One workaround, if you've carefully considered any security implications, is to disable password expiration for the local user account like this:

function SetUserPasswordNeverExpires($userName)
{
    $user = [adsi]"WinNT://$env:computername/$userName,user"
    if ($user.samaccountname -eq $null)
    {
        throw "Couldn't find the local user '$userName'.  Make sure the user exists."
    }
    $user.InvokeSet("UserFlags", ($user.UserFlags[0] -bxor 0x10000))
    $user.CommitChanges()
}

Ideally, the local user account should be single-purpose with zero rights, and the password should be a very long crypto-random string that gets forgotten immediately after being used to set up the ClientCertificate mapping in WinRM, so if someone is able to retrieve it, they've already compromised the box and could do worse stuff.  (Just my opinion - check your org's policies.)

----

This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Proposed as answer by Jonathan White [MSFT] Monday, August 10, 2015 8:11 PM
• Edited by Jonathan White [MSFT] Monday, August 10, 2015 8:13 PM