Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2021/05/24 08:09] kucerar spell fixes |
tutorial:adm:configuration_-_winrm [2021/11/29 13:48] kucerar typo |
||
---|---|---|---|
Line 50: | Line 50: | ||
* Kerberos | * Kerberos | ||
< | < | ||
- | * CredSSP | + | * CredSSP |
< | < | ||
winrm set winrm/ | winrm set winrm/ | ||
Line 68: | Line 68: | ||
* Computer Management -> Services and Application -> right click WMI Control -> Properties | * Computer Management -> Services and Application -> right click WMI Control -> Properties | ||
* In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | ||
- | * Next dialog window will appear - you need to add group here (WinRMRemoteWMIUsers__ | + | * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ |
* You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | ||
* Click on Advanced - select and edit group -> Set " | * Click on Advanced - select and edit group -> Set " | ||
Line 78: | Line 78: | ||
* < | * < | ||
{{: | {{: | ||
- | * Add group and give it Full Control | + | * Add group (WinRMRemoteWMIUsers\_\_ |
* Confirm changes | * Confirm changes | ||
Line 139: | Line 139: | ||
< | < | ||
The configuration of certificate thumbprint in the Listener should remain there. | The configuration of certificate thumbprint in the Listener should remain there. | ||
+ | |||
+ | === CredSSP Delegate credentials error === | ||
+ | If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off | ||
+ | < | ||
+ | <class ' | ||
+ | </ | ||
+ | |||
+ | To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. | ||
+ | |||
+ | The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. | ||
+ | The correct value is WSMAN/SPN of your server. For example | ||
+ | < | ||
+ | WSMAN/ | ||
+ | WSMAN/ | ||
+ | </ | ||
+ | |||
+ | You need to restart the computer after that. | ||
=== x509 attribute parsing error === | === x509 attribute parsing error === | ||
Line 189: | Line 206: | ||
print " | print " | ||
</ | </ | ||
+ | |||
+ | === SDDL configuration - access denied === | ||
+ | When you try to configure SDDL via command "winrm configSDDL default", | ||
+ | |||
+ | < | ||
+ | access denied | ||
+ | Error number: | ||
+ | </ | ||
+ | This can be caused, because your user has no permission to change it. | ||
+ | |||
+ | For example if only local group " | ||
+ | The only solution is to edit registry. | ||
+ | |||
+ | Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service | ||
+ | |||
+ | Set value for rootSDDL to O: | ||
+ | |||
+ | After that when you open SDDL config " | ||
+ | |||
+ | |||
===== HTTPS support ===== | ===== HTTPS support ===== | ||
The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. |