WinRM over HTTPS

WinRM over HTTPS

November 6, 2022 PowerShell 0

.
I got below error message while connecting workgroup machine to domain server. Hope my learning will help someone 🙂

 

Enter-PSSession : Connecting to remote server 10.0.0.4 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

At line:1 char:1

+ Enter-PSSession 10.0.0.4 + ~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : InvalidArgument: (10.0.0.4:String) [Enter-PSSession], PSRemotingTransportException    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

In this article, I will explain “How to connect WinRM over HTTPS“. I using Domain Controller (Windows Server 2022) and Client machine (Windows 10) which is workgroup (Non-Domain joined).

By default when you run winrm quickconfig command WinRM is only configured for HTTP (Port 5985).

Ensure WinRM Service running on both Server and Client.

Below command helps you to get the current configuration on the Server.

WinRM e winrm/config/listener

To Enable HTTPS for WinRM, you need to add HTTPS listener in the server and open port 5986.

In order, establish the secure WinRM communication over HTTPS (port 5986), you have generate the self-signed certificate.

Below command to create the self-signed certificate

New-SelfSignedCertificate -DnsName “Server_Name” -CertStoreLocation Cert:\LocalMachine\My

Below command to create the WinRM listener over HTTPS

winrm create winrm/config/Listener?Address=*+Transport=HTTPS ‘@{Hostname=”Server_Name”; CertificateThumbprint=”xxxxxxxxxxxxxxxxxxxx”}’

Now, Create the firewall rule for inbound communication.

Open Control Panel > Windows Firewall > Inbound Rules > Click “New Rule” > Select the “Port” >
Click Next > Select the “TCP” & specific local ports 5986 > Click “Finish”

Or you can execute below command from command prompt which is Inbound rule is allowed over port 5986

Netsh advfirewall firewall add rule name=”Windows Remote Management (HTTPS-In)” dir=in action=allow protocol=TCP localport=5986

Now, verify the Listener and you get created HTTPS over port 5986

Server side configuration are completed and now you have perform last action on client machine to start communication.

Export the Self-signed certificate from Server and Import to Client machine personal and Trusted store.

$PWD = (Get-Credential)

Store the Administrator password on $pwd variable and execute below command to connect the Domain Controller from work group client machine.

Enter-PSSession -ComputerName “Server_Name” -Credential $PWD -Port 5986 -UseSSL

This is quite un-common scenario and I have explained you for better understanding in low level. The same thing can be applicable to domain joined client or server for centralized remote management of multiple server over HTTPS.

Let me know in the command if you need to use this approach on all the servers via GPO / PowerShell.

 12,740 total views,  11 views today

Leave a Reply

Your email address will not be published. Required fields are marked *