Hello Everyone,
We have a requirement to manage some Windows servers through WinRM from Linux servers so we configured WinRM to have an HTTPS listener (with a self-signed certificate) listening on the default port 5986 on all intended Windows servers (2008, 2012 & 2016). We also configured the servers to have a local admin account for authentication.
If we test by using basic authentication everything works correctly and we're able to manage most of the servers, anyway, the requirement is to use certificates for client authentication instead of basic one so we disabled basic and enabled certificate, and also configured all the Windows servers as follows:
- Created an openssl self-signed certificate with extendedKeyUsage = clientAuth.
- Imported the certificate into the Trusted Root and Trusted People cert stores of LocalMachine for every server.
- Mapped the local admin account to the certificate imported. Then we tested in two different environments that we have; in the development environment it is working fine on 2008 and 2016 servers, but in the test environment it only worked on 2008 server, on 2012 and 2016 it's giving an authentication error. We validated and confirmed that they had the same configuration than the other servers and even re-configured everything from scratch but nothing works. If we try to connect from Windows using the Enter-PSSession command, we get the error:
Enter-PSSession : Connecting to remote server <host> failed with the following error message : The WinRM client cannot process the request. The destination computer
(<host>:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client
computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate ClientCerts For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
- Enter-PSSession @sessionParams
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidArgument: (<host>:String) [Enter-PSSession], PSRemotingTransportException
- FullyQualifiedErrorId : CreateRemoteRunspaceFailed
If we try to connect from Linux using Python and PyWinRM, we get the following error:
shell_id = p.open_shell()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
Has anyone faced this problem before? Do any of you know how this may be resolved?
Thank you in advance.
The following is the current WinRM configuration:
WinRM Listener
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = <hostname>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 9FE3A0FA1F265F23F6BA68A1C493BD8C23C6E717
ListeningOn = <ip_address>, 127.0.0.1, ::1, fe80::5efe:10.251.56.180%6, fe80::7987:7b5f:cc8b:b456%4
WinRM Service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true