-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot Create PSSession From macOS to Windows #72
Comments
Is
Most likely this is because it will try and do a Kerberos KDC lookup and that's the time it takes for dns to return with a failure. |
It's what I actually used to compile everything for this report. It was the only way to get
That makes sense. I can try to confirm this later by looking into DNS network traffic. |
As for the reasons why it's failing I've really given up on this approach unfortunately because of problems like this. GSSAPI authentication is extremely complicated on macOS and super hard to debug. I know I tested NTLM over HTTPS originally on an Intel mac but I don't have access to an arm based Mac right now to try it out again. As for why it's failing you could look into the network traffic and see if it's actually authenticating and the server responds with a 200 at any point. If it's always 401 then the authentication doesn't work at all and there's another problem at hand. |
You were right. I can see how SRV records are looked up for the KDC and data is sent to the KDC (which never responds).
I dont have the means to decrypt the traffic I captured. The TLS uses a ECDHE cypher so I can't easily decrypt it. However, I do see two encrypted responses from the server and I have two decoded replies in the logs (as I included in the problem description). Assuming those encrypted responses and decoded replies match, there are no HTTP/200 replies. They are all 401. I would dig depper into the issue but I think I will need some help on what to look at next. |
The omi trace logs should show you the messages being sent and the replies, you even mentioned it in your original comment.
That is unfortunately, OpenSSL does have the ability to create a keylogfile that Wireshark can use to decrypt the TLS traffic but I believe you need to opt into the callback in the C code which isn't currently being done. If you are interested you can run https://gist.github.com/jborean93/6c1f1b3130f2675f1618da56633eb1fa on the Windows host to produce the same file that Wireshark can use to decrypt the traffic. Keep in mind it is pretty invasive and requires a reboot to undo the hooks it places in lsass so it's mostly just for development purposes only.
This is the key part to figure out unfortunately. NTLM auth on macOS was problematic due to how the Unfortunately I don't really have any recommendations for you as this isn't something simple you can fix. What you can try is
|
SUMMARY
Same problem as #70 but this time using SSL. Reading the
README.md
I think this is supposed to work:However, it does not in my case. Attempting to connect to a Windows Server 2019 (domain joined) from my M3 Mac:
Running the identical command from a Windows 10 computer works as expected.
MODULE VERSION
OS / ENVIRONMENT
macOS info
PowerShell info
WSMan setup
Excerpt from
omiclient-send.trc
Server replies from taken from omi's debug log
Some other things I noticed:
MI_Result = MI_RESULT_ACCESS_DENIED
but the error message does not show the error code.The text was updated successfully, but these errors were encountered: