Windows Remote Management (ipv4+https)

Borislav Vitanov 81 Reputation points
2022-01-18T08:54:21.98+00:00

Hello everyone,
I have some question regarding the configuration of WinRM. First, I'm setting now Admin center and I did it with only WinRM over https. I've set as well a template in the internal CA for deploying a certificate on servers.

Issue1: I was not able to set a Friendly Name for the certificate in CA to make it more easier when I have a long list of certificates already issued on a server. Which means that I have to set manually FriendlyName on every server and then find the Thumbprint with Get-ChildItem -path cert:\LocalMachine\My | select FriendlyName, Thumbprint | Format-List
Q: Does someone knows if it is possible to do?

Issue2: I checked as well the GP what I can set there for deployment and although there are settings for WinRM Client and service, they are very limited. If I enable the setting - Allow remote server management through WinRM, I could set IPv4 to * and IPv6 leave empty to enable only IPv4 but if I enable this option, it will automatically enable HTTP+HTTPS, and I want to avoid enabling http.

Issue3: Set the configuration in cmd. I've checked the commands for winrm configuration and the closes one is:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}'

which leads to my problem. I would like to set the listener to use only IPv4 (this is linked to Issue2) but I couldn't find any example of winrm create command including IPv4 instead of *

Q: Did someone already did it or knows a better way to do it? I want to have WinRM only over IPv4 and https. Maybe cmd is limited and there is a "better" command over PowerShell?

Thanks in advance

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,187 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,386 Reputation points
    2022-01-24T15:28:22.027+00:00

    Hi there,

    This might be helpful for you.

    -Firewall; enable a rule that only allows inbound WinRM connections from the specified subnet.
    -use the "Service" side of WSman instead of the "Client" side, i.e.
    Text
    Set-Item -Path WSMan:\localhost\Service\ -Name IPv4Filter -Value 10.10.10.1-10.10.10.254
    -Use a Group Policy to configure the same setting Computer \ Policies \ Administrative Templates \ Windows Components \ Windows Remote Management \ WinRM Service \ Allow remote server management through WinRM: Enabled & Configure IPv4 Filter

    Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.
    https://learn.microsoft.com/en-us/answers/questions/699305/windows-remote-management-ipv4https.html

    --------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  2. Borislav Vitanov 81 Reputation points
    2022-02-03T08:19:38.267+00:00

    Hi @Limitless Technology

    almost, I've ended with deleting manually the http listener with winrm delete winrm/config/Listener?Address=*+Transport=HTTP and will left IPv6 in the config. Still as there is no way to add a friendly name to the certificate template, I have to do the configuration anyway manually.

    What I found is another issue. I've tried to set the configuration on RWDC and RODC by us and I received the following error when I tried to set the https listener:

    WSManFault
    Message
    ProviderFault
    WSManFault
    Message = An internal error occurred.

    Error number: -2147023537 0x8007054F
    An internal error occurred.

    I couldn't find useful information about this specific error and winrm but I guess that the problem is with the issued certificate on the domain controller (it is the Kerberos-Authentication template) although it is not the same error as written here:

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

    If you get the following error message:

    Error number: -2144108267 0x80338115
    ProviderFault
    WSManFault
    Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate.

    "To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed."

    And I think that our certificate doesn't include a CN.

    170903-kerberos.jpg

    now, if I want to change the template and add it, then it has to be updated to a lot of different services which will cause additional effort and lost of time. On the other hand, I can issue the winrm template as well to domain controllers but after some checking I found out that it could mess up with the certificate used for LDAPs which of course I want to avoid.

    Maybe I have to switch the WinRM template from purpose server authentication to client authentication? Which basically will make connections complicated, at least from what I've read.

    If you have some suggestion, I'll be glad to hear it.

    Thanks

    0 comments
  3. Borislav Vitanov 81 Reputation points
    2022-02-03T08:43:49.55+00:00

    and this is the config on one of the RODCs which is the same like any other member server where I executed the same commands:

    PS C:\Windows\system32> Winrm get http://schemas.microsoft.com/wbem/wsman/1/config
    Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false
    DefaultPorts
    HTTP = 5985
    HTTPS = 5986
    TrustedHosts
    Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
    Basic = false
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Relaxed
    DefaultPorts
    HTTP = 5985
    HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true
    Winrs
    AllowRemoteShellAccess = true
    IdleTimeout = 7200000
    MaxConcurrentUsers = 2147483647
    MaxShellRunTime = 2147483647
    MaxProcessesPerShell = 2147483647
    MaxMemoryPerShellMB = 2147483647
    MaxShellsPerUser = 2147483647

    0 comments