Uncategorised

WinRM

You don’t need to setup the trustedhosts on the Client or Server side.

WinRM needs to be setup to use powershell remotely.

First off make sure all machines have WinRM started and accepting from all hosts, or at least your host

run WinRm quickConfig
Enable-psRemoting -force

make sure the WinRM service is started.

set-service WinRm -startMode Automatic

To set all remote hosts to trust – not the best idea and I would recommend you alter it later to limit access

set-item WSman:localhost\client\trustedhosts -value *

to check the trusted hosts configuration

Get-item WSman:localhost\client\trustedhosts

Sometimes the remote connection will still not work, so make sure you have set the authentication correctly.

Enter-PSSession -computername 10.1.1.1 -Credential Domain\Username

Although this is the basic setup I think a better implementation of WinRM is as follows:-

The issues I have come across mainly is when I’m working on machines in other domains. When connecting to a machine in other domains the standard setup will not work.

I can’t connect to my remote domains via hostname.domain.name I have to use the IP address and WinRM doesn’t like this at all.

You will probably get an error message like this one.

[10.1.1.1] Connecting to remote server 10.1.1.1 failed with the following error message: THe WinRM client cannot process the request. Default authenication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the Trusted list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config.

So what do we have to do to allow access to other machines? We have to create a new listener on port 5986 using HTTPS so it’s secure, using a self-signed certificate. Open up the firewall to allow communication on the new port 5986 and then configure the authentication.

Here are the steps:-

On the server, you are trying to connect to i.e. the server in the other domain.

Set-item [email protected]\localhost\client\trustedhosts -value 192.168.1.1

New-selfSignedCertificate -dnsname "yourDNSname" -CertStoreLocation Cert:\Localmachine\My

New-WSmanInstance WinRm/Config/Listener -SelectorSet @{Address = "*"; Transport = "HTTPS"} -valueSet @{Hostname = $hostname; CertificateThumbprint = $thumbprint

netsh advfirewall firewall add rule name="WinRm (HTTPS)" protocol=TCP dir=in localport=5986 action=allow

set-service WinRm -computername $servers -startuptype Automatic

set-executionpolicy -scope process -executionpolicy RemoteSigned 

If you mess up or need to change the listener use the command to remove it:-

remove-WSmaninstance winrm/config/listener -selectorset @{Address='*';Transport='HTTPS'

to see the listener use this command:-

get-WSmaninstance  -ResourceURI winrm/config/listener -selectorset @{Address='*';Transport='HTTPS'}

you can change the HTTPS to HTTP to see the other listener.

One other problem I’ve come across is if your machine has more than one NIC it may not connect. This is down to if one of your NIC is on a public network. In my case, I have a couple of internal networks, separated from each other. There are a handful of machines who connect to both and if they are identified in windows as on a public network winRM will not allow you to connect.

If you have windows 8.1 or windows 10 you can use this command to change it.

Get-netconnectionprofile

this shows you the network you are connected

then simply run

set-netconnectionprofile -interfacealias "49Network" -networkcategory private

the 49network is the interface alias of the network card and the network category can be set to private or public

To do the same for Windows 7 and 2008r2

we run the following:-

$networklist = [Activator]::CreateInstance[Type]::GetTypeFromCLSID([Guid])
$connections = $networklist.getnetworkconnections()
#Set network location to private for all networks
$connections | % {$_.GetNetwork().SetCategory(1)}

The SetCategory can be set to 0 – public, 1 – private, 2 – domain.

winrm enumerate winrm/config/listener

Setting up WinRM on a virutal machines in Azure

This is relating to Terraform configurations

To Test the connection

Set the Creds with

$cred = Get-credential

Set the SessionOption

$sessionoption = new-pssessionoption -skipCAcheck -skipCNcheck -SkipRevocationCheck

Then access the VM


Enter-pssession -ConnectionUri https://public ip or dns of VM:5986 -credential $cred -sessionoption $sessionoption -authentication Basic


Enter-pssession -ConnectionUri https://dwhvm1prodtmp.uksouth.cloudapp.azure.com:5986 -credential $cred -sessionoption $sessionoption -authentication Basic

if this doesn't work remove off the "-authentication Basic"

Enter-pssession -ConnectionUri https://dwhvm1prodtmp.uksouth.cloudapp.azure.com:5986 -credential $cred -sessionoption $sessionoption

winrm get winrm/config will show you whats the setup on server

set this on server

Set-Service -Name “WinRM” -StartupType Automatic -Status Running


Configuring the WinRM service to use HTTPS without a publicly signed certificate

If the computer does not use a publicly signed certificate, you need to perform some additional steps.

If you are using a Windows version older than Windows 8/Windows Server 2012, you need to create a certificate on a separate, newer computer and then export the certificate to a file. Use the following commands to do this:

$cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName “{ipAddress}”
$password = ConvertTo-SecureString -String “{password}” -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath “{filePath}” -Password $password

Note: Use the IP address of the target computer.

To set up the remote management configuration on a computer that does not use a publicly signed certificate, do all the following steps on the target Windows computer using PowerShell:

  1. Start the WinRM service and set it to start automatically:
  2. Generate a new self-signed certificate:
  3. Use the following PowerShell command to create the certificate:
  4. Use the following command to check the certificate’s thumbprint, which you need when creating the WSMan HTTPS listener:
  1. Type mmc and press Enter.
  2. Select File > Add/Remove Snap In.
  3. In the Available snap-ins dialog box, select Certificates.
  4. Click Add.
  5. In the Certificates snap-in dialog box, select Computer account and then click Next.
  6. In the Select Computer dialog box, click Finish.
  7. In the Add/Remove Snap-in dialog box, click OK.
  8. Select Certificates (Local Computer) > Personal, right-click and select All Tasks > Import.
  9. Browse for the copied certificate, then click Next.
  10. Enter the password for the certificate, then click Next.
  11. Click Finish.
  12. Add a new WSMan HTTPS listener:
  13. Add a new firewall rule to allow WinRM HTTPS traffic:
  14. Go to Control Panel > Windows Firewall > Advanced settings.
  15. Add a new rule for inbound traffic that allows TCP port 5986 for the selected network profiles.
  16. If you are using Linux scan nodes, run the following PowerShell command on the target Windows computer to allow basic WinRM authentication:

// 1, Set the creds
$cred = get-credential

// 2, The username should have the domain in = Username = domainname\admin_username

// 3, Set the session options
$sessionoption = new-pssessionoption -skipCAcheck -skipCNcheck -SkipRevocationCheck

// 4, Set the computer you are trying to connect to
// examples you have to use the FQDN of the machine with default Authentication set.
// CI Backend 10.1.3.1 afe000000.internal.cloudapp.net
// IS1 Backend 10.1.3.2 fws000000.internal.cloudapp.net
// UAT Backend 10.1.3.3 arw000000.internal.cloudapp.net

$computerFQDN = afe000000.internal.cloudapp.net

Enter-pssession -computername $computerFQDN -Port 5985 -Authentication Default -Credential $cred -SessionOption $sessionoption