Authentication for Remote Connections

Windows Remote Management maintains security for communication between computers by

supporting several standard methods of authentication and message encryption. The default
credentials, user name and password, are the credentials for the logged-on user account that runs
the script.

• Kerberos. Kerberos is the default method when the client is in a domain and the remote
destination string is not one of the following: localhost, 127.0.0.1, or [::1].

• Negotiate. Negotiate is the default method when the client is not in a domain. Negotiate is also the
default method when the client is in domain, but the remote destination string is one of the
following: localhost, 127.0.0.1, or [::1]. You can control the authentication method being used by
WinRM:

• Basic Authentication. Basic authentication is disabled in the default configuration settings for both
WinRM client and WinRM server. To explicitly establish Basic authentication in the call to
WSMan.CreateSession, set the WSManFlagUseBasic and WSManFlagCredUserNamePassword flags
in the flags parameter.

• Digest Authentication. To explicitly establish Digest authentication in the call to

WSMan.CreateSession, set the WSManFlagUseDigest flag in the flags parameter. Digest is not
supported, which means it cannot be configured, for the WinRM server component.

• Negotiate Authentication. To explicitly establish Negotiate authentication, also known as Windows

Integrated Authentication, in the call to WSMan.CreateSession, set the WSManFlagUseNegotiate
flag in the flags parameter. With Windows Server 2008 and Windows Vista, User Account Control
(UAC) affects access to the WinRM service. When Negotiate authentication is used in a workgroup,
only the built-in Administrator account can access the service. To allow all accounts in the
Administrators group to access the service, set the following registry key to 1:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalA
ccountTokenFilterPolicy
• Kerberos Authentication. To explicitly establish Kerberos authentication in the call to WSMan, set
the WSManFlagUseKerberos flag in the flags parameter. Both the client and the server computers
must be joined to a domain. If you use Kerberos as the authentication method, you cannot use an IP
address in the call to WSMan.CreateSession or IWSMan::CreateSession. Windows Server 2003 R2:
This type of authentication is not available. Enabling Authentication Options The default
authentication option at system installation is Kerberos. If your script or application requires a
specific authentication method that is not enabled, you must change the configuration to allow that.
This change can be made using the Winrm command line tool or through Group Policy for the
Windows Remote Management Group Policy Object. You may also choose to disable certain
methods of authentication.