NOTE: This page is no longer being updated. To install the latest version of DSC Resource Kit, please use the PowerShell Gallery. If you need to report issues or would like to contribute to development, check out our GitHub Repositories.

Introduction

The xCredSSP module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the xCredSSP resource, which enables or disables Credential Security Support Provider (CredSSP) authentication on a client or on a server computer, and which server or servers the client credentials can be delegated to.

All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program or service. The "x" in xCredSSP stands for experimental, which means that these resources will be fix forward and monitored by the module owner(s).

Please leave comments, feature requests, and bug reports in the Q & A tab for this module.

If you would like to modify xCredSSP module, feel free. When modifying, please update the module name, resource friendly name, and MOF class name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.

For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the PowerShell Blog (this is a good starting point). There are also great community resources, such as PowerShell.org , or PowerShell Magazine . For more information on the DSC Resource Kit, check out this blog post.

Installation

To install xCredSSP module

  • Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder

To confirm installation:

  • Run Get-DSCResource to see that xCredSSP is among the DSC Resources listed.

Requirements

This module requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems, install WMF 4.0. Please read the installation instructions that are present on both the download page and the release notes for WMF 4.0.

Description

The xCredSSP module contains the xCredSSP resource, which enables or disables Credential Security Support Provider (CredSSP) authentication on a client or on a server computer, and which server or servers the client credentials can be delegated to.

Details

xCredSSP resource has following properties:

  • Ensure:                            Specifies whether the domain trust is present or absent
  • Role:                                REQUIRED parameter representing the CredSSP role, and is either "Server" or "Client"
  • DelegateComputers:    Array of servers to be delegated to, REQUIRED when Role is set to "Client".

Renaming Requirements

When making changes to these resources, we suggest the following practice:

  1. Update the following names by replacing MSFT with your company/community name and replacing the "x" with "c" (short for "Community") or another prefix of your choice:
    • Module name (ex: xCredSSP becomes cCredSSP)
    • Resource folder (ex: MSFT_xCredSSP becomes Contoso_cCredSSP)
    • Resource Name (ex: MSFT_xCredSSP becomes Contoso_cCredSSP)
    • Resource Friendly Name (ex: xCredSSP becomes cCredSSP)
    • MOF class name (ex: MSFT_xCredSSP becomes Contoso_cCredSSP)
    • Filename for the <resource>.schema.mof (ex: MSFT_xCredSSP.schema.mof becomes Contoso_cCredSSP.schema.mof)
  2. Update module and metadata information in the module manifest
  3. Update any configuration that use these resources

We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_CredSSP" or "MSFT_ADUser"). If the next version of Windows Server ships with a "CredSSP" resource, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.

Versions

1.0.1.0

  • Updated with minor bug fixes.

1.0.0.0

  • Initial release with the following resources
    • xADDomain

Example: Enable CredSSP for both server and client roles, and delegate to Server1 and Server2.

PowerShell
Edit|Remove
Configuration EnableCredSSP 
{ 
    Import-DscResource -Module xCredSSP 
 
    Node localhost 
    { 
        xCredSSP Server 
        { 
            Ensure = "Present" 
            Role = "Server" 
        } 
 
        xCredSSP Client 
        { 
            Ensure = "Present" 
            Role = "Client" 
            DelegateComputers = "Server1","Server2" 
        } 
    } 
}  

Example: Disable CredSSP for both server and client roles.

PowerShell
Edit|Remove
Configuration EnableCredSSP 
{ 
    Import-DscResource -Module xCredSSP 
 
    Node localhost 
    { 
        xCredSSP Server 
        { 
            Ensure = "Present" 
            Role = "Server" 
        } 
 
        xCredSSP Client 
        { 
            Ensure = "Present" 
            Role = "Client" 
            DelegateComputers = "Server1","Server2" 
        } 
    } 
}