Authentication Constants

Authentication constants are constants in the __WSManSessionFlags enumeration that specify the authentication method and how to handle certificate servers for HTTPS transport of requests.

One or more of the constants listed in the following list are required in the flags parameter in calls to WSMan.CreateSession or in IWSMan::CreateSession calls that connect to a remote computer.

WSManFlagCredUsernamePassword

4096 (0x1000)

Use the user name and password as the credentials. Set this flag when you create a ConnectionOptions object and supply Username and Password. The credentials can be a domain account or an account on the local computer. By default, the account must be a member of the local Administrators group on the local or remote computer. However, the WinRM service can be configured to allow other users. For more information, see Installation and Configuration for Windows Remote Management. You can set this flag when you specify credentials for Negotiate authentication (also known as Windows Integrated Authentication) or for Basic authentication.

The associated scripting method is WSMan.SessionFlagCredUsernamePassword, and the C++ method is IWSManEx.SessionFlagCredUsernamePassword.

WSManFlagSkipCACheck

8192 (0x2000)

When connecting over HTTPS, the client does not validate that the server certificate is signed by a trusted certification authority (CA). Use this value only when the remote computer is trusted by other means, for example, if the remote computer is part of a network that is physically secure and isolated or the remote computer is listed as a trusted host in the WinRM configuration.

The associated scripting method is WSMan.SessionFlagSkipCACheck, and the C++ method is IWSManEx.SessionFlagSkipCACheck.

WSManFlagSkipCNCheck

16384 (0x4000)

When connecting over HTTPS, the client will not validate that the common name (CN) in the server certificate matches the computer name in the connection string. Use only when the remote computer is trusted by other means, for example, if the remote computer is part of a network that is physically secure and isolated or the remote computer is listed as a trusted host in the WinRM configuration.

The associated scripting method is WSMan.SessionFlagSkipCNCheck, and the C++ method is IWSManEx.SessionFlagSkipCNCheck.

WSManFlagUseNoAuthentication

32768 (0x8000)

Use no authentication. Specify this constant when testing a connection to a remote computer to determine if a service that implements the WS-Management protocol is configured to listen for data requests. WSManFlagUseNoAuthentication cannot be combined with any other Session constant. The associated scripting method is WSMan.SessionFlagUseNoAuthentication, and the C++ method is WSManEx.SessionFlagUseNoAuthentication.

WSManFlagUseDigest

65536 (0x10000)

Use Digest authentication. Only the client computer can initiate a Digest authentication request. The client sends a request to the server to authenticate and receives a token string from the server. The client then sends the resource request, including the user name and a cryptographic hash of the password combined with the token string. Digest authentication is supported for HTTP and HTTPS. WinRM client scripts and applications can specify Digest authentication, but not the service.

The associated scripting method is WSMan.SessionFlagUseDigest, and the C++ method is IWSManEx.SessionFlagUseDigest.

WSManFlagUseNegotiate

131072 (0x20000)

Use Negotiate authentication. The client sends a request to the server to authenticate. The server determines whether to use Kerberos or NTLM. Kerberos is selected to authenticate a domain account and NTLM is selected for local computer accounts. The user name should be specified in the form domain\username for a domain user or servername\username for a local user on a server computer.

User Account Control (UAC) affects access to the WinRM service. When Negotiate authentication is used in a workgroup or domain, only the built-in Administrator account can access the service. To allow all accounts in the Administrators group to access the service, set the following registry key to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

The associated scripting method is WSMan.SessionFlagUseNegotiate, and the C++ method is IWSManEx.SessionFlagUseNegotiate.

WSManFlagUseBasic

262144 (0x40000)

Use Basic authentication. The client presents credentials in the form of a user name and password, directly transmitted in the request message. You can specify only credentials that identify a local administrator account on the remote computer.

The associated scripting method is WSMan.SessionFlagUseBasic, and the C++ method is IWSManEx.SessionFlagUseBasic.

WSManFlagUseKerberos

524288 (0x80000)

Use Kerberos authentication. The client and server mutually authenticate using Kerberos tickets.

The associated scripting method is WSMan.SessionFlagUseKerberos, and the C++ method is IWSManEx.WSMan.SessionFlagUseKerberos.

WSManFlagNoEncryption

1048576 (0x100000)

Use no encryption. Unencrypted traffic is not allowed by default and must be enabled on both the client and server.

The associated scripting method is WSMan.SessionFlagNoEncryption, and the C++ method is IWSManEx.SessionFlagNoEncryption.

WSManFlagUseClientCertificate

2097152 (0x200000)

Use client certificate-based authentication.

The associated scripting method is WSMan.SessionFlagUseClientCertificate, and the C++ method is IWSManEx2.SessionFlagUseClientCertificate.

WSManFlagUseCredSsp

16777216 (0x1000000)

Use Credential Security Support Provider (CredSSP) authentication.

The associated scripting method is WSMan.SessionFlagUseCredSsp, and the C++ method is IWSManEx3.SessionFlagUseCredSsp.

WSManFlagSkipRevocationCheck

0x2000000

Do not check for certificate revocation during authentication.

WSManFlagAllowNegotiateImplicitCredentials

0x4000000

Allow implicit credentials.

WSManFlagUseSsl

0x8000000

Use Secure Socket Layer, enables HTTPS.

Requirements

See also

Session Constants