Today we had an issue in which a microservice which was deployed onto a linux pod was not able to make a remote PowerShellSession (PSSession) to a Windows machine.
The base image already had PSWSMan and openssl installed, but we were getting MI_RESULT_ACCESS_DENIED error.
After long search through different posts and trial and errors, we were able to make the connection successful with the below changes in the docker image.
- Add the two below packages to image
RUN apt-get install netbase -y
RUN apt-get install gss-ntlmssp -y
Netbase:
Basic TCP/IP networking system
This package provides the necessary infrastructure for basic TCP/IP based networking. In particular, it supplies common name-to-number mappings in /etc/services, /etc/rpc, /etc/protocols and /etc/ethertypes.
gss-ntlmssp:
GSS-NTLMSSP is a GSSAPI mechanism plugin that implements NTLMSSP. NTLMSSP is a Microsoft Security Provider that implements various versions and falvors of the NTLM challenge-response family.
GSS-NTLMSSP, implements both NTLM and NTLMv2 and all the various security variants to the key exchange that Microsoft introduced and documented over time.
This code implements the NTLMSSP mechanism as a GSSAPI loadable mechanism and has been tested to work with MIT Kerberos' 1.11 implementation of GSSAPI.
- Also the PSSession command was ran with the Negotiate authentication method
Enter-PSSession -ComputerName <IP/Hostname> -Credential <xxxxx> -Authentication Negotiate
References and further reading
https://packages.debian.org/sid/netbase
https://github.com/gssapi/gss-ntlmssp
https://packages.debian.org/sid/libs/gss-ntlmssp
https://www.bloggingforlogging.com/2020/08/21/wacky-wsman-on-linux/
https://github.com/PowerShell/PowerShell/issues/6647
https://github.com/jborean93/omi/issues/29
https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/
Top comments (0)