Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2021/05/24 08:14]
kucerar fixed format 		tutorial:adm:configuration_-_winrm [2021/11/29 13:35]
kucerar improved https setting
Line 50: Line 50:
   * Kerberos   * Kerberos
 <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code> <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code>
-  * CredSSP+  * CredSSP - HTTPS muse be enabled - see steps below: [[tutorial:adm:configuration_-_winrm?#https_support|HTTPS setting]]
 <code>winrm set winrm/config/service/auth '@{CredSSP="true"}' <code>winrm set winrm/config/service/auth '@{CredSSP="true"}'
 winrm set winrm/config/client/auth '@{CredSSP="true"}' winrm set winrm/config/client/auth '@{CredSSP="true"}'
Line 139: Line 139:
 <code>winrm set winrm/config/service '@{CertificateThumbprint=""}'</code> <code>winrm set winrm/config/service '@{CertificateThumbprint=""}'</code>
 The configuration of certificate thumbprint in the Listener should remain there. The configuration of certificate thumbprint in the Listener should remain there.
 +
 +=== CredSSP Delegate credentials error ===
 +If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off
 +<code>
 +<class 'requests_credssp.exceptions.AuthenticationException'>("Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual ''",)
 +</code>
 +
 +To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service.
 +
 +The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy.
 +The correct value is WSMAN/SPN of your server. For example
 +<code>
 +WSMAN/myComputer.myDomain.com
 +WSMAN/*.myDomain.com
 +</code>
 +
 +You need to restart the computer after that.
  
 === x509 attribute parsing error === === x509 attribute parsing error ===
Line 189: Line 206:
 print "retcode",status_code print "retcode",status_code
 </code> </code>
 +
 +=== SDDL configuration - access denied ===
 +When you try to configure SDDL via command "winrm configSDDL default", after adding some group and clicking on "OK", you will see this error in command line:
 +
 +<code>
 +access denied
 +Error number:  -2147024891 0x80070005
 +</code>
 +This can be caused, because your user has no permission to change it.
 +
 +For example if only local group "Administrators" had "full control" but for some reason someone remove it, you are not able to add the same group back or any other group back.
 +The only solution is to edit registry.
 +
 +Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service
 +
 +Set value for rootSDDL to O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
 +
 +After that when you open SDDL config "Administrators" group will be back again with full control permissions.
 +
 +
 ===== HTTPS support ===== ===== HTTPS support =====
 The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client.
  • by erbenr