Knowledgebase
WinRM (Windows Remote Management) Troubleshooting Tips
Posted by Eric Hanig on 09 January 2014 04:26 PM

Here are troubleshooting steps for WinRM

You need to verify your winrm is set up correctly.  We provide scripts to setup the WinRM Configuration portion, these must be run in an elevated command prompt in order to work properly.  Command Prompt and PowerShell will interpret the commands differently because of the markup.  These should have been run and verified on Target Server and EPS BE Server.

 

Must be enabled on Target Server and EPS Backend Server

In winrm configuration ‘winrm get winrm/config’

CredSSP must be enabled for client and service

The Correct ports must be set 5985 5986(Default Ports, we use HTTP(5985))

 

Make sure the listeners were properly created.  ‘winrm enumerate winrm/config/listener'

If you get an error try running ‘winrm quickconfig’ again then check again.  Otherwise, reboot the server and verify/fix again.

 

In Group Policy two records should be set:(Make sure to use the correct /)

WSMAN/*

WSMAN/*.domain.ext

You can use  generic as shown above, or Target Server will contain records for EPS BE Server. And EPS BE will contain records for Target Server.

 

Each computer must be listening.  Firewall changes should be automatic.  You can check with:

Netstat –oan at the command line.  Look for 5985 to be listening

 

Use these commands in powershell to test the connection. (provideragentadmin will need to be either a domain admin, or a local administrator on each machine).

 

Change lines 3 and 4 to be your provideragentadmin account information(password, domain\provideragentadmin)

Change line 5 to point to your App Server.

 

1.            Log in to the EPS server

2.            Open Windows Powershell

3.            $pwd = ConvertTo-SecureString –String “password” –AsPlainText –Force

4.            $crd = New-Object -TypeName System.Management.Automation.PSCredential –ArgumentList “domain\provideragentadmin”, $pwd

5.            Enter-PSSession -Authentication Credssp -ConnectionUri "http://appserver:5985/wsman" -Credential $crd

 

If these commands allow you to make a remote powershell session to the Target Computer, WinRM is working correctly.

 

Otherwise:

Make sure there are no overriding WinRM Settings in your DOMAIN GPO from your AD Servers.

 

Check SPN’s on each computer(Usually not an issue, but on rare occasion).

Setspn –L domain\computer

     Each computer should have two WSMAN\computer records for itself.

WSMAN\Server
WSMAN\Server.domain.ext

If any are missing you can set them manually using:
Setspn -A WSMAN\Server Domain\Server
Setspn -A WSMAN\Server.domain.ext Domain\Server


Notes:

Setting Credentials in GPEdit on each machine from Above

Open Group Policy on the local machine. gpedit from the command prompt.

Local Computer Policy, Computer Configuration, Administrative Templates, System, Credential Delegation.
     Allow Delegating Fresh Credentials
          Enable
                Add Two Records for Each Computer
                     Target server will contain either Generic or Server records for the EPSBE Server
                     EPSBE Server will contain either Generic or Server records for the Target Server
                Records to be added
                     Generic
                            WSMAN/*
                            WSMAN/*.domain.ext
                     Or Server
                            Target Server
                                  WSMAN/EPSBE
                                  WSMAN/EPSBE.Domain.ext
                            EPSBE Server
                                  WSMAN/Target
                                  WSMAN/Target.Domain.ext
     Make sure you use the correct '/' when creating these records.
(1 vote(s))
Helpful
Not helpful

Comments (0)