The case of winrm that was configured properly but never worked

On 2 win2012-r2 servers (not core, and not DC, actually fresh install with all patching done) on the same subnet, I have configured winrm and psremoting but I still cannot do a remote session.

I have tried:

winrm qc
Enable-psremoting
Winrm e winrm/config/listener
PS C:\Windows\system32> winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.81.1.153, 127.0.0.1, ::1, fe80::5efe:10.81.1.153%13, fe80::f1f9:11cd:8c30:39a9%12

Telnet to 5985 OK

Get-pssessionconfiguration -> v4

Set-Item wsman:\localhost\Client\TrustedHosts -value  *

so when I tried to identify or use etsn I get the following:

etsn
Connecting to remote server 10.81.1.153 failed with the following error message : The WinRM client cannot
process the request. Default authentication may be used with an IP address under the following conditions: the
transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use
winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more
information on how to set TrustedHosts run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ etsn 10.81.1.153
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (10.81.1.153:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed



    winrm id -r:10.81.1.152 WSManFault Message = The WinRM client cannot process the request. Default authentication may be used with an IP address under t he following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authen ticated. For more information on how to set TrustedHosts run the following command: winrm help config.



Error number: -2144108101 0x803381BB The WinRM client cannot process the request. Default authentication may be used with an IP address under the following c onditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For m ore information on how to set TrustedHosts run the following command: winrm help config.

Even checking all settings

PS C:\Windows\system32> winrm get wmicimv2/Win32_Service?Name=WinRM
Win32_Service
    AcceptPause = false
    AcceptStop = true
    Caption = Windows Remote Management (WS-Management)
    CheckPoint = 0
    CreationClassName = Win32_Service
    Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
 WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service l
istens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a lis
tener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se
rvice provides access to WMI data and enables event collection. Event collection and subscription to events require that
 the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i
s preconfigured to share a port with IIS on the same machine.  The WinRM service reserves the /wsman URL prefix. To prev
ent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract = false
    DisplayName = Windows Remote Management (WS-Management)
    ErrorControl = Normal
    ExitCode = 0
    InstallDate = null
    Name = WinRM
    PathName = C:\Windows\System32\svchost.exe -k NetworkService
    ProcessId = 868
    ServiceSpecificExitCode = 0
    ServiceType = Share Process
    Started = true
    StartMode = Auto
    StartName = NT AUTHORITY\NetworkService
    State = Running
    Status = OK
    SystemCreationClassName = Win32_ComputerSystem
    SystemName = server
    TagId = 0
    WaitHint = 0

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter = * [Source="GPO"]
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30

again, both servers ping 152 amd 153, nslookup forward, reverse work fine. telnet to winrm port works, winrm services are up…only winrm doesn’t

I am running out of ideas, any suggestion is welcome…thanks!

From the 2 above systems, I am able to enter a pssession to a other fresh windows 2012 install. Still those 2 systems cannot accept sessions. Compare the global configuration elements, the only difference is the listening IP of the listeners settings. The rest is exactly the same – GPO for winrm works.

winrm get winrm/config - identical
winrm get winrm/config/client - identical
winrm get winrm/config/service - identical
winrm enumerate winrm/config/resource - identical
winrm enumerate winrm/config/listener - IPs are different
winrm enumerate winrm/config/plugin - identical
winrm enumerate winrm/config/service/certmapping - identical (Empty)

test-wsman from and to each servers do return information without errors.

> Test-WSMan 10.81.1.153


wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0



> Test-WSMan 10.81.1.152


wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

In fact I never solved this. Nothing I tried worked and all settings from winrm/wsman seemed proper.

I eventually used a fresh install from a newer built – SW_DVD9_Windows_Svr_Std_and_DataCtr_2012_R2_64Bit_English_-4_MLF_X19-82891 – and it seemed solving the issue – same GPOs and default settings.

If you can think of anything, please let me know!

Advertisements

#remoting, #windows-2, #winrm, #ws-management, #wsman

Enable Powershell Remoting via Group Policy

While one can run the command below to enable PS remoting, it is good to standardize this by using a GPO on your servers.

>Enable-PSRemoting

I am assuming that you will want to work with windows 7 and up along with windows server 2008R2 and up as there is a great deal of requirements around .net and powershell 2 and up.

You will need a GPO that contains 3 things (which are what enable-psremoting does:

  1. The enablement of WinRM
  2. The firewall exception
  3. The winRM service

Enabling WinRM
Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
Enable “Allow Remote Server management through WinRM” (win2012 up) or “Allow automatic configuration of listeners” (win2008-)
Set the IPv4 and IPv6 filters to * unless you need something specific there

Punching holes in the firewall
Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules
Add a new rule and choose the “Windows Remote Management” pre-defined rule.

Configure the WinRM service
Policies > Windows Settings > Security Settings > System Services
Select the Windows Remote Management (WS-Management) service and set it for automatic startup.

#gpo, #powershell, #remote, #remote-management, #remoting, #windows-firewall, #windows-remote-management, #ws-management