Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:configuration_-_winrm [2021/05/24 08:09]
kucerar spell fixes
+++ tutorial:adm:configuration_-_winrm [2021/11/29 13:48]
kucerar typo
@@ Line 50: / Line 50: @@
   * Kerberos
 <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code>
-  * CredSSP
+  * CredSSP - HTTPS must be enabled - see steps below: [[tutorial:adm:configuration_-_winrm?#https_support|HTTPS setting]]
 <code>winrm set winrm/config/service/auth '@{CredSSP="true"}'
 winrm set winrm/config/client/auth '@{CredSSP="true"}'
@@ Line 68: / Line 68: @@
   * Computer Management -> Services and Application -> right click WMI Control -> Properties
   * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security
-  * Next dialog window will appear - you need to add group here (WinRMRemoteWMIUsers__ or Remote Management Users)
+  * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here
   * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
   * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces
@@ Line 78: / Line 78: @@
   * <code>winrm configSDDL default</code>
 {{:tutorial:adm:winrm_sddl.png?nolink&400|}}
-  * Add group and give it Full Control (Use WinRMRemoteWMIUsers__ or Remote Management Users, depends on your environment)
+  * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control
   * Confirm changes
@@ Line 139: / Line 139: @@
 <code>winrm set winrm/config/service '@{CertificateThumbprint=""}'</code>
 The configuration of certificate thumbprint in the Listener should remain there.
+=== CredSSP Delegate credentials error ===
+If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off
+<code>
+<class 'requests_credssp.exceptions.AuthenticationException'>("Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual ''",)
+</code>
+To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service.
+The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy.
+The correct value is WSMAN/SPN of your server. For example
+<code>
+WSMAN/myComputer.myDomain.com
+WSMAN/*.myDomain.com
+</code>
+You need to restart the computer after that.
 === x509 attribute parsing error ===
@@ Line 189: / Line 206: @@
 print "retcode",status_code
 </code>
+=== SDDL configuration - access denied ===
+When you try to configure SDDL via command "winrm configSDDL default", after adding some group and clicking on "OK", you will see this error in command line:
+<code>
+access denied
+Error number:  -2147024891 0x80070005
+</code>
+This can be caused, because your user has no permission to change it.
+For example if only local group "Administrators" had "full control" but for some reason someone remove it, you are not able to add the same group back or any other group back.
+The only solution is to edit registry.
+Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service
+Set value for rootSDDL to O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
+After that when you open SDDL config "Administrators" group will be back again with full control permissions.
 ===== HTTPS support =====
 The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client.