Authentication Constants
Authentication constants are constants in the __WSManSessionFlags enumeration that specify the authentication method and how to handle certificate servers for HTTPS transport of requests.
One or more of the constants listed in the following list are required in the flags parameter in calls to WSMan.CreateSession or in IWSMan::CreateSession calls that connect to a remote computer.
-
WSManFlagCredUsernamePassword
-
-
4096 (0x1000)
-
Use the user name and password as the credentials. Set this flag when you create a ConnectionOptions object and supply Username and Password. The credentials can be a domain account or an account on the local computer. By default, the account must be a member of the local Administrators group on the local or remote computer. However, the WinRM service can be configured to allow other users. For more information, see Installation and Configuration for Windows Remote Management. You can set this flag when you specify credentials for Negotiate authentication (also known as Windows Integrated Authentication) or for Basic authentication.
The associated scripting method is WSMan.SessionFlagCredUsernamePassword, and the C++ method is IWSManEx.SessionFlagCredUsernamePassword.
-
-
WSManFlagSkipCACheck
-
-
8192 (0x2000)
-
When connecting over HTTPS, the client does not validate that the server certificate is signed by a trusted certification authority (CA). Use this value only when the remote computer is trusted by other means, for example, if the remote computer is part of a network that is physically secure and isolated or the remote computer is listed as a trusted host in the WinRM configuration.
The associated scripting method is WSMan.SessionFlagSkipCACheck, and the C++ method is IWSManEx.SessionFlagSkipCACheck.
-
-
WSManFlagSkipCNCheck
-
-
16384 (0x4000)
-
When connecting over HTTPS, the client will not validate that the common name (CN) in the server certificate matches the computer name in the connection string. Use only when the remote computer is trusted by other means, for example, if the remote computer is part of a network that is physically secure and isolated or the remote computer is listed as a trusted host in the WinRM configuration.
The associated scripting method is WSMan.SessionFlagSkipCNCheck, and the C++ method is IWSManEx.SessionFlagSkipCNCheck.
-
-
WSManFlagUseNoAuthentication
-
-
32768 (0x8000)
-
Use no authentication. Specify this constant when testing a connection to a remote computer to determine if a service that implements the WS-Management protocol is configured to listen for data requests. WSManFlagUseNoAuthentication cannot be combined with any other Session constant. The associated scripting method is WSMan.SessionFlagUseNoAuthentication, and the C++ method is WSManEx.SessionFlagUseNoAuthentication.
-
-
WSManFlagUseDigest
-
-
65536 (0x10000)
-
Use Digest authentication. Only the client computer can initiate a Digest authentication request. The client sends a request to the server to authenticate and receives a token string from the server. The client then sends the resource request, including the user name and a cryptographic hash of the password combined with the token string. Digest authentication is supported for HTTP and HTTPS. WinRM client scripts and applications can specify Digest authentication, but not the service.
The associated scripting method is WSMan.SessionFlagUseDigest, and the C++ method is IWSManEx.SessionFlagUseDigest.
-
-
WSManFlagUseNegotiate
-
-
131072 (0x20000)
-
Use Negotiate authentication. The client sends a request to the server to authenticate. The server determines whether to use Kerberos or NTLM. Kerberos is selected to authenticate a domain account and NTLM is selected for local computer accounts. The user name should be specified in the form domain\username for a domain user or servername\username for a local user on a server computer.
User Account Control (UAC) affects access to the WinRM service. When Negotiate authentication is used in a workgroup or domain, only the built-in Administrator account can access the service. To allow all accounts in the Administrators group to access the service, set the following registry key to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
The associated scripting method is WSMan.SessionFlagUseNegotiate, and the C++ method is IWSManEx.SessionFlagUseNegotiate.
-
-
WSManFlagUseBasic
-
-
262144 (0x40000)
-
Use Basic authentication. The client presents credentials in the form of a user name and password, directly transmitted in the request message. You can specify only credentials that identify a local administrator account on the remote computer.
The associated scripting method is WSMan.SessionFlagUseBasic, and the C++ method is IWSManEx.SessionFlagUseBasic.
-
-
WSManFlagUseKerberos
-
-
524288 (0x80000)
-
Use Kerberos authentication. The client and server mutually authenticate using Kerberos tickets.
The associated scripting method is WSMan.SessionFlagUseKerberos, and the C++ method is IWSManEx.WSMan.SessionFlagUseKerberos.
-
-
WSManFlagNoEncryption
-
-
1048576 (0x100000)
-
Use no encryption. Unencrypted traffic is not allowed by default and must be enabled on both the client and server.
The associated scripting method is WSMan.SessionFlagNoEncryption, and the C++ method is IWSManEx.SessionFlagNoEncryption.
-
-
WSManFlagUseClientCertificate
-
-
2097152 (0x200000)
-
Use client certificate-based authentication.
The associated scripting method is WSMan.SessionFlagUseClientCertificate, and the C++ method is IWSManEx2.SessionFlagUseClientCertificate.
-
-
WSManFlagUseCredSsp
-
-
16777216 (0x1000000)
-
Use Credential Security Support Provider (CredSSP) authentication.
The associated scripting method is WSMan.SessionFlagUseCredSsp, and the C++ method is IWSManEx3.SessionFlagUseCredSsp.
-
-
WSManFlagSkipRevocationCheck
-
-
0x2000000
-
Do not check for certificate revocation during authentication.
-
-
WSManFlagAllowNegotiateImplicitCredentials
-
-
0x4000000
-
Allow implicit credentials.
-
-
WSManFlagUseSsl
-
-
0x8000000
-
Use Secure Socket Layer, enables HTTPS.
-
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista |
| Minimum supported server |
Windows Server 2008 |
| Header |
|
| IDL |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for