WinRM Certificate Authentication Problem on Some 2012 & 2016 Windows Servers

Uriel 96 Reputation points
2020-11-27T16:23:26.923+00:00

Hello Everyone,

We have a requirement to manage some Windows servers through WinRM from Linux servers so we configured WinRM to have an HTTPS listener (with a self-signed certificate) listening on the default port 5986 on all intended Windows servers (2008, 2012 & 2016). We also configured the servers to have a local admin account for authentication.

If we test by using basic authentication everything works correctly and we're able to manage most of the servers, anyway, the requirement is to use certificates for client authentication instead of basic one so we disabled basic and enabled certificate, and also configured all the Windows servers as follows:

  1. Created an openssl self-signed certificate with extendedKeyUsage = clientAuth.
  2. Imported the certificate into the Trusted Root and Trusted People cert stores of LocalMachine for every server.
  3. Mapped the local admin account to the certificate imported. Then we tested in two different environments that we have; in the development environment it is working fine on 2008 and 2016 servers, but in the test environment it only worked on 2008 server, on 2012 and 2016 it's giving an authentication error. We validated and confirmed that they had the same configuration than the other servers and even re-configured everything from scratch but nothing works. If we try to connect from Windows using the Enter-PSSession command, we get the error:

Enter-PSSession : Connecting to remote server <host> failed with the following error message : The WinRM client cannot process the request. The destination computer
(<host>:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client
computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate ClientCerts For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1

  • Enter-PSSession @sessionParams
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidArgument: (<host>:String) [Enter-PSSession], PSRemotingTransportException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed

If we try to connect from Linux using Python and PyWinRM, we get the following error:


shell_id = p.open_shell()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server


Has anyone faced this problem before? Do any of you know how this may be resolved?

Thank you in advance.

The following is the current WinRM configuration:


WinRM Listener


Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = <hostname>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 9FE3A0FA1F265F23F6BA68A1C493BD8C23C6E717

ListeningOn = <ip_address>, 127.0.0.1, ::1, fe80::5efe:10.251.56.180%6, fe80::7987:7b5f:cc8b:b456%4

WinRM Service


Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,369 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,527 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,112 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
421 questions
0 comments No comments
{count} votes

Accepted answer
  1. Uriel 96 Reputation points
    2021-06-02T21:34:01.003+00:00

    Thank God I finally found an article with a solution that worked for me. I want to share it in case someone else is experiencing the same problem:

    https://stackoverflow.com/a/67422353/16110314

    The solution is basically to add a DWord registry key named "ClientAuthTrustMode" with a value of 2 to the path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL".

    I hope this helps.


2 additional answers

Sort by: Most helpful
  1. Jenny Yan-MSFT 9,321 Reputation points
    2020-11-30T07:59:12.683+00:00

    Hi,
    1.Did you check the permission of users for remoting that has proper authorizations on the remote machine?

    Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
    Link: https://devblogs.microsoft.com/scripting/configure-remote-security-settings-for-windows-powershell/

    2.For some commands, it is required to input FQDN of the remote sever, otherwise the certificate will be invalid.

    3.Here is a similar thread for your reference:
    Enter-PSSession fails to connect, Access is denied
    https://social.technet.microsoft.com/Forums/en-US/60a759c7-d2e5-448f-b6b1-f716d13bf33c/enterpssession-fails-to-connect-access-is-denied?forum=winserverpowershell


    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny


  2. RAPIN Quentin 1 Reputation point
    2021-02-02T12:58:11.397+00:00

    Hey @Uriel , have you finally found an answer to your question ? I'm experiencing the same problem right now.