User-ID Agentless WinRM over HTTP with or without using Kerberos ( Kerberos or Basic- simple-Authentication )
Hello community, how are you, good evening, thanks for your time and collaboration.
I have a question regarding the use of WinRM over HTTP.
According to this link there are 3 mechanisms of use:
Configure WinRM over HTTPS with Basic Authentication
Configure WinRM over HTTP with Kerberos
Configure WinRM over HTTPS with Kerberos
Now reviewing this link that mentions 4 possible options to solve an issue, option 3 talks about changing the transport-Protocol type to WinRM-HTTP and done:
Currently using WMI, but we want to switch to using WinRM-HTTP to avoid errors, issues and problems.
-Now my doubt is the following, with respect to WinRM-HTTP can I use simple authentication ? or must be mandatory the use of Kerberos for WinRM-HTTP authentication with Kerberos? Is it mandatory to use Kerberos using a Kerberos profile ? or just switching to WinRM-HTTP, in Monitored Server (already the credentials are OK and making sure that the Domain Controller server(s) have up and running WinRM-HTTP service/listener is sufficient ? This is because the server administrators are somewhat reluctant and refuse to apply settings on their servers, at most we can validate the WinRM service running and the listener, but nothing more, thinking of switching to the use of WimRM to use Kerberos authentication and / or use HTTPS using a certificate will not want to do so to not adjust anything more than hopefully lift the service.
Thank you, I remain attentive to your comments, advice, good collaboration, suggestions.
Best Regards
Using basic auth over http would mean exposing your service account in cleartext every time the firewall performs a log-read on the AD (every second) so technically it would be possible but it was not made available due to poor security I think You can always submit a feature request :)
You can't use basic authentication in HTTP because it's unencrypted, that's why there's only the kerberos option for HTTP To enable kerberos, you also need to create a kerberos profile and add it to the agentless configuration in the Server Monitor Account (at the bottom)