MI_RESULT_FAILED macbook m2

[carefreepineapple]

SUMMARY

Attempting to enter a ps-session from a mac m2 into a windows 10 host (not joined to any domain).

> Enter-PSSession -ComputerName "<redacted>" -Credential $creds -Authentication Negotiate -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

Enter-PSSession: Connecting to remote server <redacted> failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic.

MODULE VERSION

> Import-Module -Name PSWSMan -PassThru

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.3.1                 PSWSMan                             {Disable-WSManCertVerification, Enable-WSManCertVerif…

OS / ENVIRONMENT

MacOS details

~ system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 14.1.2 (23B92)
      Kernel Version: Darwin 23.1.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: <redacted> MacBook Pro
      User Name: <redacted>
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 57 days, 2 hours, 8 minutes

Powershell version

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Darwin 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct  9 21:28:31 PDT 2023; root:xnu-10002.41…
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

WSMan version

> Get-WSManVersion

MI        PSRP
--        ----
2.3.1.333 2.3.1.333

WSMan -verbose

> Install-WSMan -verbose
VERBOSE: Attempting to get OpenSSL info with /opt/homebrew/bin/brew --prefix openssl
STDOUT: /opt/homebrew/opt/openssl@3


STDERR:

RC: 0
VERBOSE: Checking arch information for '/opt/homebrew/opt/openssl@3/lib/libcrypto.dylib' and '/opt/homebrew/opt/openssl@3/lib/libssl.dylib'
VERBOSE: Checking if 'arm64' for '/opt/homebrew/opt/openssl@3/lib/libcrypto.dylib' is one of 'arm64'
VERBOSE: Checking if 'arm64' for '/opt/homebrew/opt/openssl@3/lib/libssl.dylib' is one of 'arm64'
VERBOSE: Brew openssl libcrypto|ssl exists and is valid at '/opt/homebrew/opt/openssl@3/lib/libcrypto.dylib' and '/opt/homebrew/opt/openssl@3/lib/libssl.dylib'
VERBOSE: Getting OpenSSL version for '/opt/homebrew/opt/openssl@3/lib/libssl.dylib'
VERBOSE: OpenSSL Version: Major 3 Minor 2 Patch 0
VERBOSE: Host Info:
{
  "Distribution": "macOS",
  "StandardLib": "macOS",
  "OpenSSL": "3",
  "LibCrypto": {
    "Source": "libcrypto.3.dylib",
    "Target": "/opt/homebrew/opt/openssl@3/lib/libcrypto.dylib"
  },
  "LibSSL": {
    "Source": "libssl.3.dylib",
    "Target": "/opt/homebrew/opt/openssl@3/lib/libssl.dylib"
  }
}
VERBOSE: Installing WSMan libs for 'macOS-3'
VERBOSE: Checking to see if libmi.dylib is installed
VERBOSE: Checking to see if libpsrpclient.dylib is installed

OMI LOGS

from here

~ cat /opt/omi/var/log/omiclient-recv.trv
[Session: 1 Date: 2024-02-01 23:35:06.0374243Z]
HTTP/1.1 401
WWW-Authenticate: Negotiate <ntlmssp redacted>
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 01 Feb 2024 23:35:05 GMT
Content-Length: 0


[Session: 1 Date: 2024-02-01 23:35:06.0449834Z]
HTTP/1.1 200
WWW-Authenticate: Negotiate <ntlmssp redacted>
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 01 Feb 2024 23:35:05 GMT
Content-Length: 0


[Session: 1 Date: 2024-02-01 23:35:06.0500142Z]
HTTP/1.1 400
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 01 Feb 2024 23:35:05 GMT
Connection: close
Content-Length: 0

STEPS TO REPRODUCE

~ brew install powershell/tap/powershell
~ xcode-select --install
~ brew install openssl
~ brew install libntlm
> Install-Module -Name PSWSMan -AcceptLicense -Force -Confirm:$False
~ sudo pwsh -Command 'Install-WSMan'
> Get-Credential
> Disable-WSManCertVerification
> Enter-PSSession -ComputerName "<redacted>" -Credential $creds -Authentication Negotiate -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

[jborean93]

I believe NTLM authentication has never worked on macOS due to how the client is set up https://github.com/jborean93/omi?tab=readme-ov-file#changes-from-upstream-omi

Technically NTLM auth on macOS can work but only does when running over HTTPS. This is due to a fundamental problem with macOS and NTLM when it's wrapped in SPNEGO

[carefreepineapple]

@jborean93 how do I pass NTLM over HTTPS?

[jborean93]

Use a HTTPS connection, e.g. -UseSSL. It requires the Windows Server to have a configured HTTPS connection.

[carefreepineapple]

@jborean93 you mention the windows server need to have a configured HTTPS connection, do you happen to know if you can set up the HTTPS listener on a normal Windows 7 or Windows 10 device, not a server?

EDIT: I've got some work to do on these devices. None of them are setup to listen on 5986

l> Get-ChildItem wsman:\localhost\Listener


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener

Type            Keys                                Name                       
----            ----                                ----                       
Container       {Transport=HTTP, Address=*}         Listener_1682839512

[carefreepineapple]

This is ultimately a problem with the host not supporting HTTPS (5986) and NTLM not working on Mac without being over HTTPS.