Remotely Invoking SharePoint PowerShell Command Using CredSSP Authentication Is Showing WinRM Client Error

Issue

Executing SharePoint PowerShell Script remotely using CredSSP Authentication shows WinRM client error.

Error Description

Command Example :

Invoke-Command -ComputerName Server01 -ScriptBlock { Add-PSSnapin Microsoft.SharePoint.Powershell; $objUser = Get-SPUser -Identity domain\user1; } -Credential $objCred -Authentication CredSSP

Error from Application User Interface

[Server01] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.

Analysis

Make sure that the account used to execute the PowerShell script is not locked in an Active Directory. Verify the below command from the Server or Machine where you are invoking/executing the PowerShell command.

winrm quickconfig

In my case, I got the below error while executing the above command.

"The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid."

If you are getting HTTP response error that means the problem is with authentication packets. The packets must be too large (above 16000) which resulted in rejecting the request.

The reason for authentication packets being too large can be because the account may be a member of many security groups or because of Sid History attribute.
 
Solution
  • You need to create registry entry "MaxRequestBytes" and "MaxFieldLength" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" in the source machine/server where you are invoking/executing the command and set the decimal value to 65534.

  • As usual, restart the machine if you have done any registry changes.
  • Test the command.

Hope it helps!