My Photo

Technical Architect with over 15 years experience in a wide range of technologies.

@TheCodeKing

rss feed

WinRM in mixed domain environments | Thursday, February 24, 2011

Introduction

Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It's extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. As I discovered this requires some additional configuration steps outlined below.

Enabling Remoting

Enabling WinRM between computers on the same domain is straight forward by running the following command in an elevated Powershell console on the remote server. This enables WinRM and configures the firewall so that it can accept incoming commands.

Enable-PSRemoting

Once this is done commands can then be executed against the machine remotely as follows.

Invoke-Command -ComputerName RM-SERVER -ScriptBlock {Get-Process}

This example will list processes on the remote machine named RM-SERVER using the Get-Process cmdlet.

Mixed domain

Mixed domain environments require some additional configuration to get working. To do this the following command needs to be executed on the remote server. This will allow the client server to authenticate from a different domain, or with an account local to the remote server.

New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

With this configuration it's now possible to authenticate and execute a command remotely with explicit credentials.

$credential = Get-Credential
Invoke-Command -ComputerName RM-SERVER -ScriptBlock {Get-Process} -Credential $credential

Or create the credential explicitly in script as shown below.

$securePassword = ConvertTo-SecureString "Password" -AsPlainText -force
$credential = New-Object System.Management.Automation.PsCredential("domain\username",$securePassword)
Invoke-Command -ComputerName RM-SERVER -ScriptBlock {Get-Process} -Credential $credential

Troubleshooting

WinRM cannot process the request

Beware, I spent several hours on this. No matter what I did I kept getting the following error. It turns out this was caused by anti-virus software running on the remote server which had to be disabled.

Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: There are currently no logon servers available to service the logon request.
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

Trusted hosts

The remote server can be configured to allow commands from only specific hosts. To set this run the following in an elevated Powershell console on the remote server. By default this is set to allow any host (*).

Set-item wsman:localhost\client\trustedhosts -value RM-Client1,RM-Client2

The line above configures the remote server to allow only commands from machines RM-Client1 and RM-Client2.

Firewall configuration

WinRm requires port 5985 for http, or port 5986 for https. The Enable-PSRemoting cmdlet will auto-configure the Windows software firewall, but do ensure these ports are accessible across your network infrastructure.


4 comments:

mushaib yoonus said...

thx for the trustedhosts syntax it helped me.

Callum Ashton said...

Thanks for the good tutorial it really helped. As a side note though after running through the above I still couldn't connect.

To fix this I had to run the "Set-item wsman:localhost\client\trustedhosts" command on the client server with "-value RM-SERVER".

But thanks for the help.

Jesse Jones said...

I used the last step on both the host and the client servers (making them trust one another) and it finally worked! Thanks.

Philip Jagielski said...

I too had to make both the client and the server trust each other (using the Set-item wsman:.... command) to get this to work.

Great article thank you!

Post a Comment