WinRM (Windows Remote Management) Troubleshooting Tips
Posted by Eric Hanig on 09 January 2014 04:26 PM
Here are troubleshooting steps for WinRM
You need to verify your winrm is set up correctly. We provide scripts to setup the WinRM Configuration portion, these must be run in an elevated command prompt in order to work properly. Command Prompt and PowerShell will interpret the commands differently because of the markup. These should have been run and verified on Target Server and EPS BE Server.
Must be enabled on Target Server and EPS Backend Server
In winrm configuration ‘winrm get winrm/config’
CredSSP must be enabled for client and service
The Correct ports must be set 5985 5986(Default Ports, we use HTTP(5985))
Make sure the listeners were properly created. ‘winrm enumerate winrm/config/listener'
If you get an error try running ‘winrm quickconfig’ again then check again. Otherwise, reboot the server and verify/fix again.
In Group Policy two records should be set:(Make sure to use the correct /)
You can use generic as shown above, or Target Server will contain records for EPS BE Server. And EPS BE will contain records for Target Server.
Each computer must be listening. Firewall changes should be automatic. You can check with:
Netstat –oan at the command line. Look for 5985 to be listening
Use these commands in powershell to test the connection. (provideragentadmin will need to be either a domain admin, or a local administrator on each machine).
Change lines 3 and 4 to be your provideragentadmin account information(password, domain\provideragentadmin)
Change line 5 to point to your App Server.
1. Log in to the EPS server
2. Open Windows Powershell
3. $pwd = ConvertTo-SecureString –String “password” –AsPlainText –Force
4. $crd = New-Object -TypeName System.Management.Automation.PSCredential –ArgumentList “domain\provideragentadmin”, $pwd
5. Enter-PSSession -Authentication Credssp -ConnectionUri "http://appserver:5985/wsman" -Credential $crd
If these commands allow you to make a remote powershell session to the Target Computer, WinRM is working correctly.
Make sure there are no overriding WinRM Settings in your DOMAIN GPO from your AD Servers.
Check SPN’s on each computer(Usually not an issue, but on rare occasion).
Setspn –L domain\computer
Each computer should have two WSMAN\computer records for itself.WSMAN\Server
If any are missing you can set them manually using:
Setspn -A WSMAN\Server Domain\Server
Setspn -A WSMAN\Server.domain.ext Domain\Server
Setting Credentials in GPEdit on each machine from AboveOpen Group Policy on the local machine. gpedit from the command prompt.
Local Computer Policy, Computer Configuration, Administrative Templates, System, Credential Delegation.
Allow Delegating Fresh Credentials
Add Two Records for Each Computer
Target server will contain either Generic or Server records for the EPSBE Server
EPSBE Server will contain either Generic or Server records for the Target Server
Records to be added
Make sure you use the correct '/' when creating these records.