When using PowerShell remoting (Using the Invoke-Command
cmdlet for example), an authentication scheme is required.
The options are Kerberos, CredSSP, NTLM and Negotiate.
What is the difference between them? What should I use?
Kerberos
Pros:
- Very secure.
- No need to pass implicit credentials.
Cons:
- Requires a SPN record in the executing user’s domain (registered automatically on the computer’s domain only. If it’s two different domain – the SPN needs to be registered manually).
- Does not support second-hop remoting.
CredSSP
Somewhat secure – the credentials are being passed to the remote server and may be captured there.
Pros:
- Supports second-hop remoting.
Cons:
- Must pass implicit credentials.
- Needs special configuration on both the server & client side.
NTLM
Pros:
- No need to pass implicit credentials.
Cons:
- Not very secure.
- Does not support second-hop remoting.
Negotiate
Tries Kerberos. If fails, fallbacks to NTLM. Sometimes secure, sometimes isn’t.
Pros:
- No need to pass implicit credentials.
Cons:
- Does not support second-hop remoting.