Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2021/05/24 08:14] kucerar fixed format |
tutorial:adm:configuration_-_winrm [2021/11/29 13:35] kucerar improved https setting |
||
---|---|---|---|
Line 50: | Line 50: | ||
* Kerberos | * Kerberos | ||
< | < | ||
- | * CredSSP | + | * CredSSP |
< | < | ||
winrm set winrm/ | winrm set winrm/ | ||
Line 139: | Line 139: | ||
< | < | ||
The configuration of certificate thumbprint in the Listener should remain there. | The configuration of certificate thumbprint in the Listener should remain there. | ||
+ | |||
+ | === CredSSP Delegate credentials error === | ||
+ | If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off | ||
+ | < | ||
+ | <class ' | ||
+ | </ | ||
+ | |||
+ | To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. | ||
+ | |||
+ | The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. | ||
+ | The correct value is WSMAN/SPN of your server. For example | ||
+ | < | ||
+ | WSMAN/ | ||
+ | WSMAN/ | ||
+ | </ | ||
+ | |||
+ | You need to restart the computer after that. | ||
=== x509 attribute parsing error === | === x509 attribute parsing error === | ||
Line 189: | Line 206: | ||
print " | print " | ||
</ | </ | ||
+ | |||
+ | === SDDL configuration - access denied === | ||
+ | When you try to configure SDDL via command "winrm configSDDL default", | ||
+ | |||
+ | < | ||
+ | access denied | ||
+ | Error number: | ||
+ | </ | ||
+ | This can be caused, because your user has no permission to change it. | ||
+ | |||
+ | For example if only local group " | ||
+ | The only solution is to edit registry. | ||
+ | |||
+ | Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service | ||
+ | |||
+ | Set value for rootSDDL to O: | ||
+ | |||
+ | After that when you open SDDL config " | ||
+ | |||
+ | |||
===== HTTPS support ===== | ===== HTTPS support ===== | ||
The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. |