Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2019/10/08 13:38] fiserp [Commons issues] |
tutorial:adm:configuration_-_winrm [2021/11/29 13:35] kucerar improved https setting |
||
---|---|---|---|
Line 50: | Line 50: | ||
* Kerberos | * Kerberos | ||
< | < | ||
- | * CredSSP | + | * CredSSP |
< | < | ||
winrm set winrm/ | winrm set winrm/ | ||
Line 57: | Line 57: | ||
===== Permission configuration ===== | ===== Permission configuration ===== | ||
- | If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it. | + | If you want to use user which is not admin then we need to do a more configuration. If you want to use admin user you should |
Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth | Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth | ||
Line 68: | Line 68: | ||
* Computer Management -> Services and Application -> right click WMI Control -> Properties | * Computer Management -> Services and Application -> right click WMI Control -> Properties | ||
* In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | ||
- | * Next dialog window will appear - you need to add group here | + | * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) |
* You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | ||
* Click on Advanced - select and edit group -> Set " | * Click on Advanced - select and edit group -> Set " | ||
Line 78: | Line 78: | ||
* < | * < | ||
{{: | {{: | ||
- | * Add group and give it Full Control | + | * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) |
* Confirm changes | * Confirm changes | ||
Line 139: | Line 139: | ||
< | < | ||
The configuration of certificate thumbprint in the Listener should remain there. | The configuration of certificate thumbprint in the Listener should remain there. | ||
+ | |||
+ | === CredSSP Delegate credentials error === | ||
+ | If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off | ||
+ | < | ||
+ | <class ' | ||
+ | </ | ||
+ | |||
+ | To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. | ||
+ | |||
+ | The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. | ||
+ | The correct value is WSMAN/SPN of your server. For example | ||
+ | < | ||
+ | WSMAN/ | ||
+ | WSMAN/ | ||
+ | </ | ||
+ | |||
+ | You need to restart the computer after that. | ||
=== x509 attribute parsing error === | === x509 attribute parsing error === | ||
Line 161: | Line 178: | ||
- Editing '' | - Editing '' | ||
- When running winrm script with NTLM, the warning should no longer pop up. | - When running winrm script with NTLM, the warning should no longer pop up. | ||
+ | |||
+ | === HTTPS certificate not trusted === | ||
+ | Python, by default, uses its own certificate truststore located somewhere under ''/ | ||
+ | <code python> | ||
+ | import os | ||
+ | # there, you can explicitly set path to your CA chain | ||
+ | # DO NOT put there server' | ||
+ | os.environ[" | ||
+ | |||
+ | from winrm.protocol import Protocol | ||
+ | |||
+ | p = Protocol( | ||
+ | endpoint=' | ||
+ | transport=' | ||
+ | username=' | ||
+ | password=' | ||
+ | # | ||
+ | shell_id = p.open_shell() | ||
+ | command_id = p.run_command(shell_id, | ||
+ | std_out, std_err, status_code = p.get_command_output(shell_id, | ||
+ | p.cleanup_command(shell_id, | ||
+ | p.close_shell(shell_id) | ||
+ | |||
+ | # this will output all that returned from the WinRM call | ||
+ | print " | ||
+ | print " | ||
+ | print " | ||
+ | </ | ||
+ | |||
+ | === SDDL configuration - access denied === | ||
+ | When you try to configure SDDL via command "winrm configSDDL default", | ||
+ | |||
+ | < | ||
+ | access denied | ||
+ | Error number: | ||
+ | </ | ||
+ | This can be caused, because your user has no permission to change it. | ||
+ | |||
+ | For example if only local group " | ||
+ | The only solution is to edit registry. | ||
+ | |||
+ | Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service | ||
+ | |||
+ | Set value for rootSDDL to O: | ||
+ | |||
+ | After that when you open SDDL config " | ||
+ | |||
+ | |||
===== HTTPS support ===== | ===== HTTPS support ===== | ||
The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. |