While working with addition/removal of a computer from an Active Directory domain over WinRM (noticed while using Test Kitchen using the negotiate
transport), I've noticed something strange, and am hoping to get some context to the behavior. When joining a computer to the domain using the Add-Computer
cmdlet, everything works as intended. However, when I use the Remove-Computer
cmdlet, the WinRM session closes with an unauthorized access error. Attempting to connect over WinRM with the same credentials again yields the same unauthorized access error until I reboot the system. I'm curious as to why Negotiate Authentication over WinRM is breaking immediately after leaving the domain (prior to the reboot) but not when joining the domain.
My first thought was that Test Kitchen was using Kerberos over WinRM once joined to the domain, so I disabled Kerberos as follows as part of my provisioning process (so NTLM should have been used):
winrm set winrm/config/service/auth '@{Kerberos="false"}'
and verified that the setting remained after joining the domain. But still on leaving the domain I am unable to authenticate to WinRM until I reboot. It's worth noting that using WinRM over plaintext
or ssl
seems to work without issue.
Note: I am authenticating as a local user, not a domain user.
0 Answers