Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2019/07/10 15:21] kucerar credssp |
tutorial:adm:configuration_-_winrm [2021/11/29 11:54] kucerar old revision restored (2021/10/25 12:36) |
||
---|---|---|---|
Line 6: | Line 6: | ||
WinRM is a command-line tool. | WinRM is a command-line tool. | ||
- | ==== Check if Winrm is running ==== | + | ===== Check if Winrm is running |
< | < | ||
Line 16: | Line 16: | ||
Now execute the first command again and it should without error now. | Now execute the first command again and it should without error now. | ||
- | ==== Show current configuration ==== | + | ===== Show current configuration |
Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. | Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. | ||
After quick config you will probably see only one listener for HTTP. | After quick config you will probably see only one listener for HTTP. | ||
Line 30: | Line 30: | ||
{{: | {{: | ||
- | ==== Authentications methods ==== | + | ===== Authentications methods |
^ ^ Type of user | **Credential delegation** | ^ ^ Type of user | **Credential delegation** | ||
Line 53: | Line 53: | ||
< | < | ||
winrm set winrm/ | winrm set winrm/ | ||
+ | Enable-WSManCredSSP -Role Server | ||
</ | </ | ||
- | ==== Permission configuration ==== | + | ===== Permission configuration |
- | If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it. | + | If you want to use user which is not admin then we need to do a more configuration. If you want to use admin user you should |
Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth | Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth | ||
Line 67: | Line 68: | ||
* Computer Management -> Services and Application -> right click WMI Control -> Properties | * Computer Management -> Services and Application -> right click WMI Control -> Properties | ||
* In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | ||
- | * Next dialog window will appear - you need to add group here | + | * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) |
* You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | ||
* Click on Advanced - select and edit group -> Set " | * Click on Advanced - select and edit group -> Set " | ||
Line 77: | Line 78: | ||
* < | * < | ||
{{: | {{: | ||
- | * Add group and give it Full Control | + | * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) |
* Confirm changes | * Confirm changes | ||
Line 83: | Line 84: | ||
< | < | ||
- | ==== Debug ==== | + | ===== Debugging ===== |
When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips. | When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips. | ||
Line 96: | Line 97: | ||
Next we want to try to connect to WinRM. Install [[devel: | Next we want to try to connect to WinRM. Install [[devel: | ||
Open terminal (Linux) or powershell (Windows) | Open terminal (Linux) or powershell (Windows) | ||
- | < | + | < |
> python | > python | ||
>>> | >>> | ||
Line 104: | Line 105: | ||
</ | </ | ||
For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store | For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store | ||
- | < | + | < |
- | >>> | + | >>> |
</ | </ | ||
- | After executing " | ||
- | {{: | ||
- | Now what we did here? We connect | + | Then, execute the winrm call. Followin call simply instructs the remote powershell |
< | < | ||
- | === Commons errors | + | The fact that there were some stacktraces printed does not necessarily mean the call failed. |
- | the specified | + | |
+ | Now simply print the result by calling '' | ||
+ | {{: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Common issues ==== | ||
+ | === Specified | ||
+ | Can be caused by: | ||
* wrong username or password | * wrong username or password | ||
- | * user is not in group | + | * user is not in correct user group on the Windows system |
{{: | {{: | ||
- | Access denied 500 - this error can be caused by: | + | === Access denied 500 === |
+ | Can be caused by: | ||
* wrong username or password | * wrong username or password | ||
* WinRM SDDL is not configured | * WinRM SDDL is not configured | ||
{{: | {{: | ||
- | ==== HTTPS support ==== | + | |
+ | === CredSSP handshake error === | ||
+ | If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in '' | ||
+ | < | ||
+ | Execute this command to delete '' | ||
+ | < | ||
+ | The configuration of certificate thumbprint in the Listener should remain there. | ||
+ | |||
+ | === CredSSP Delegate credentials error === | ||
+ | If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off | ||
+ | < | ||
+ | <class ' | ||
+ | </ | ||
+ | |||
+ | To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. | ||
+ | |||
+ | The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. | ||
+ | The correct value is WSMAN/SPN of your server. For example | ||
+ | < | ||
+ | WSMAN/ | ||
+ | WSMAN/ | ||
+ | </ | ||
+ | |||
+ | You need to restart the computer after that. | ||
+ | |||
+ | === x509 attribute parsing error === | ||
+ | When calling WinRM over HTTPS, you can encounter following error: | ||
+ | <code python> | ||
+ | Traceback (most recent call last): | ||
+ | File "/ | ||
+ | _lib.X509_up_ref(x509) | ||
+ | AttributeError: | ||
+ | </ | ||
+ | This seems to be caused by older versions of the '' | ||
+ | |||
+ | === Requests using non-urllib3 backend === | ||
+ | <note important> | ||
+ | This affects only '' | ||
+ | < | ||
+ | / | ||
+ | NoCertificateRetrievedWarning) | ||
+ | </ | ||
+ | You can confirm the behavior by: | ||
+ | - Installing '' | ||
+ | - Editing '' | ||
+ | - When running winrm script with NTLM, the warning should no longer pop up. | ||
+ | |||
+ | === HTTPS certificate not trusted === | ||
+ | Python, by default, uses its own certificate truststore located somewhere under ''/ | ||
+ | <code python> | ||
+ | import os | ||
+ | # there, you can explicitly set path to your CA chain | ||
+ | # DO NOT put there server' | ||
+ | os.environ[" | ||
+ | |||
+ | from winrm.protocol import Protocol | ||
+ | |||
+ | p = Protocol( | ||
+ | endpoint=' | ||
+ | transport=' | ||
+ | username=' | ||
+ | password=' | ||
+ | # | ||
+ | shell_id = p.open_shell() | ||
+ | command_id = p.run_command(shell_id, | ||
+ | std_out, std_err, status_code = p.get_command_output(shell_id, | ||
+ | p.cleanup_command(shell_id, | ||
+ | p.close_shell(shell_id) | ||
+ | |||
+ | # this will output all that returned from the WinRM call | ||
+ | print " | ||
+ | print " | ||
+ | print " | ||
+ | </ | ||
+ | |||
+ | === SDDL configuration - access denied === | ||
+ | When you try to configure SDDL via command "winrm configSDDL default", | ||
+ | |||
+ | < | ||
+ | access denied | ||
+ | Error number: | ||
+ | </ | ||
+ | This can be caused, because your user has no permission to change it. | ||
+ | |||
+ | For example if only local group " | ||
+ | The only solution is to edit registry. | ||
+ | |||
+ | Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service | ||
+ | |||
+ | Set value for rootSDDL to O: | ||
+ | |||
+ | After that when you open SDDL config " | ||
+ | |||
+ | |||
+ | ===== HTTPS support | ||
The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | ||
We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. | We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. |