Best method to check a computer can be successfully reached using WINRM

Question

Best method to check a computer can be successfully reached using WINRM

Darren Rose 496

I am using PowerShell scripts to do various tasks on remote computers.

PS Remoting is enabled on all computers but sometimes I still get some issues with some where I can't connect- these are normally easily solved by checking computer is not on a public network, firewall rules etc - fixing the connection issue is not the question here.

SOI want a reliable way to check it can be accessed before running rest of my script.

So I firstly test machine is online using Test-Connection - this works okay to exclude any machines offline or not responding.

Then I need to check machine can be accessed via winrm - I tried Test-WSMan but even on some machines I couldn't connect to this came back as being okay - so that is not much use.

For example response from Test-WSMan - all looks okay, and same output I get from working machine:

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

But if now try Invoke-Command on same machine I get error below:-

[Lxxxx] Connecting to remote server Lxxxx failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (Lxxxx:String) [], PSRemotingTransportException + FullyQualifiedErrorId : -2144108387,PSSessionStateBroken

So I have been using the below to check connection, and if response is 1 then it is okay to continue with script, and it it comes back with error then add computer name to $FailedRemoting variable to check later, and skip to next machine in list.

Invoke-Command -ComputerName L21217 { 1 }

Is that the best method, or is there another way I should be checking access via winrm?

Thanks

Accepted answer

2 additional answers

Your answer

Answer 1

Andreas Baumgarten 123.6K MVP Volunteer Moderator

You should check $result as well (not tested).

$result = Invoke-Command -ComputerName FAKEPC { if ($PSVersionTable.SerializationVersion) { 1 } else { 0 } }
if ($result -eq "1") { 1 } else { 0 }

if $result is equal "1" -> everything looks good
if $result not equals "1" ("0" or any other value, for instance an error message) -> Something went wrong

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Darren Rose 496 Reputation points

2021-01-22T18:53:13.077+00:00

Yes I am checking $result

And for computers it can connect to it comes back as 1, but for those it can't it doesn't contain anything, and I thought the whole point (and why I asked) of having else { 0 } was that iw ould come back with 0 if failed, but it doesn't it just comes back as nothing at all - which isn't a problem, but I am learning and hence asking why we need else { 0 } when it doesn't appear to do anything
Andreas Baumgarten 123.6K Reputation points MVP Volunteer Moderator

2021-01-22T18:57:47.077+00:00

Which else { 0 } are you referring to?
The one in the $PSVersionTable part or the $result part?

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Darren Rose 496 Reputation points

2021-01-22T19:16:10.683+00:00
I was referring to the one in the first line ($PSVersionTable), as I assume that would set $result to 0 if failed

So as I was trying to ascertain, you don't actually need it in first line as

Both

$result = Invoke-Command -ComputerName NO-IT { if ($PSVersionTable.SerializationVersion) { 1 } } if ($result -eq "1") { 1 } else { 0 }

and

$result = Invoke-Command -ComputerName NO-IT { if ($PSVersionTable.SerializationVersion) { 1 } else { 0 } } if ($result -eq "1") { 1 } else { 0 }

give the same output

As I say not disagreeing or trying to argue, just learning and trying to always fully understand answers given to me :)
Rich Matheisen 47,901 Reputation points

2021-01-22T19:46:11.613+00:00

If Invoke-Command fails you'll never execute the code in the script block, so neither 1 or 0 will be returned.
Darren Rose 496 Reputation points

2021-01-22T19:51:58.18+00:00

1 is returned when it doesn't fail - nothing is returned when it does fail

Second line then shows 1 if value is 1 and shows 0 if value is 0 or nothing

Working fine for me

Answer 2

Andreas Baumgarten 123.6K MVP Volunteer Moderator

In my opinion your last check (check if response is 1) is great and hard to beat:

It checks if computer is reachable via network
WSMan is configured properly
A command is executed on the remote computer

The only improvement I can think of is running a simple command to check for example the version of PowerShell on the remote computer. Just to test if you get a response of a PowerShell command, not necessarily because of the PS version details.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Darren Rose 496 Reputation points

2021-01-22T18:02:36.877+00:00

@Andreas Baumgarten - Thank you for your response, much appreciated, and good to know I was thinking in right direction

What "simple" command would you suggest I run? perhaps $PSVersionTable - if so how do I then return a value of 1 or a boolean like I do now to know if successful or not
Andreas Baumgarten 123.6K Reputation points MVP Volunteer Moderator

2021-01-22T18:12:43.09+00:00
Maybe just something like this:

if ($PSVersionTable.SerializationVersion) { 1 } else { 0 }

Just an idea.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Darren Rose 496 Reputation points

2021-01-22T18:18:53.55+00:00

Thanks, seems to work fine, though do I need the else { 0 } because if it fails it never returns 0 it just shows the error?
Andreas Baumgarten 123.6K Reputation points MVP Volunteer Moderator

2021-01-22T18:24:44.073+00:00

I personally like to get a clear response instead of a $null.
Maybe this is one of my quirks ;-)

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Darren Rose 496 Reputation points

2021-01-22T18:29:21.84+00:00
Agreed, and so would I but if I use for example

$result = Invoke-Command -ComputerName FAKEPC { if ($PSVersionTable.SerializationVersion) { 1 } else { 0 } }

It returns 1 in $result for compuers it can connect to, but for computers it can't connect to it just shows error in first post and $result doesn't contain anything, and I assumed it was meant to contain 0

Answer 3

One of the failures you noted was related to Kerberos. That's usually not a problem with WinRM but with the credentials used to establish the remote connection.

You could use something like this to test for connectivity first and then the ability to attempt to establish a WinRM session:

$portOK = $false
$allOk = $false

# this is faster than test-connection ot test-netconnection
Try{
    $tcp = [System.Net.SocketsTcpClient]::New('ws05', 5985)
    $tcp.Close()
    $PortOK = $true
}
Catch{
    "Failed to connect on port tcp:5985"
}

if ($portOK){
    $result = try { 
        Invoke-Command -computer ws05 -scriptblock { 1 } -ErrorAction STOP
    } 
    catch {
        $_
    }
    if ($result -ne 1){
        # do something with these???
        # or just skip whatever would be done on the unreachable machine?
        # depends on how you handle errors
        $result.TargetObject
        $result.FullyQualifiedErrorId
    }
    else{
        $allOk = $true
    }
}
if (-not $allOk){
    # failed -- now handle the failure
}

Darren Rose 496 Reputation points

2021-01-22T20:22:16.69+00:00

Thanks for reply RichMatheisen-8856

Yes I noted the error mentioned Kerberos but all computers are on same domain and script being run from user account with domain admin credentials so very odd as most others connect fine, just a handful of these, suspect it is something to do with DNS, VPN or Firewall as in some cases they resolve themselves, in other cases it has been because they are working from home on VPN but connection to home wireless is showing as Public rather than Private, changing it then resolved it for some others.

Thanks for code sample, very useful

Share via

Best method to check a computer can be successfully reached using WINRM

2 additional answers

Your answer