WinRM doesn't work from one host?

This topic contains 9 replies, has 2 voices, and was last updated by Profile photo of Kitt Holland Kitt Holland 3 years, 3 months ago.

  • Author
    Posts
  • #13498
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    I'm trying to do some powershell remoting and having issues from one host.

    I have winRM configured via GPO with trustedhosts *

    Checking the client settings at WSMAN:\localhost\Client are identical between the machines that work, and the machine that does not. (5000, wsman, false, null, null, *)

    From all of the servers except 1 I am able to use powershell remote commands against any other host (I've been using Enter-PSSession to test)

    I have SSL/CredSSP authentication turned on and I have tried it with CredSSP and explicit credentials, and with passthrough non-credssp auth.

    I have one SCVMM server that will not connect to anything else. It is in the same VLAN and subnet as the rest of the servers, no firewalls between. Windows firewall is turned off.

    I can access the SCVMM server via winRM from any other computer, but from the SCVMM server I get the following error when I try to connect to any other computer:

    Enter-PSSession : Connecting to remote server hypv3 failed with the following error message : The client
    cannot connect to the destination specified in the request. Verify that the service on the destination is running and
    is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination,
    most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
    analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
    about_Remote_Troubleshooting Help topic.
    At line:1 char:1
    + Enter-PSSession hypv3
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (hypv3:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

    Running winrm qc results in:

    WinRM service is already running on this machine.
    WinRM is already set up for remote management on this computer.

    This is server 2012 and I'm not really sure what to do next. Anyone have any tips?

  • #13499
    Profile photo of B D
    B D
    Participant

    If you are using a custom port on your WinRM listener do not forget to specify -port with Enter-PSSession

    Try also with specifying -Authentication Negotiate | Credssp | Kerberos (one of these 3) with Enter-PSSession

    Check if your SCVMM server is in the OU where the GPO of the WinRM client is configured well.

    P.S.: Do not use trustedhosts *, this is also not needed in domain environment.

    P.P.S.: In a domain environment you can force Kerberos with GPO which encrypts the traffic. So the SSL option is not really needed and this makes it all easier.

  • #13500
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    I added the CredSSP/Trustedhosts entries when I was trying to get CredSSP working to resolve second hop issues with certain commands. If some of these are unnecessary/redundant I can review those settings, but they are not impacting any other servers connectivity.

    All of the current settings are identical across the servers and I verified that GPO is being applied and client settings are identical in WSMAN:\.

    I have tried declaring the -authentication as credssp, kerberos and negotiate and receive the same error immediately from the scvmm server. From any other server all three work without issue.

  • #13501
    Profile photo of B D
    B D
    Participant

    Can you connect to the localhost on the scvmm server? (set up the winrm server on scvmm by running enable-psremoting)

  • #13502
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    Great test!

    That failed also on the scvmm server. I think the client is truly fubar.

    I can connect to the scvmm server from any other server, but it cannot connect to anything including localhost. I ran the enable-psremoting command (though it was already enabled) to see if it would shake anything loose but I still have the same errors after the fact.

  • #13503
    Profile photo of B D
    B D
    Participant

    I would compare the WinRM client registry settings with the other boxes:

    Registry Hive: HKEY_LOCAL_MACHINE
    Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\

    Adjust if needed and restart WinRM service(!)

  • #13504
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    The registry keys match.

    AllowCredSSP 1
    TrustedHosts 1
    TrustedHostsList *

  • #13505
    Profile photo of B D
    B D
    Participant

    Are the other boxes 2012 server as well? Do they have the exact same GPO's applied (maybe it has something to do with kerberos enforcement)
    Try to reinstall powershell with turning the feature off and on?

  • #13507
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    Sorry, I'm not sure how one would fully reinstall powershell on Server 2012. The windows features for powershell that are installed are all grayed out to remove and the OS ships with it natively. Is there a command I'm missing?

  • #13506
    Profile photo of Kitt Holland
    Kitt Holland
    Participant

    They are all server 2012, and the only difference for GPO is WSUS reboot policy (I double checked to policy settings to make sure nothing else is configured).

    I will try reinstalling powershell now.

You must be logged in to reply to this topic.