| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
tutorial:adm:configuration_-_winrm [2021/10/25 11:59]
kopro |
tutorial:adm:configuration_-_winrm [2021/11/29 11:53]
kucerar |
| |
| ===== Check if Winrm is running ===== | ===== Check if Winrm is running ===== |
| |
| Commands are executed in Windows powershell running as Administrator: | |
| |
| {{ .:powershell.png?861x68 }} | |
| <code> | <code> |
| |
| </code> | </code> |
| |
| * CredSSP | * CredSSP - https must be enabled see https://wiki.czechidm.com/tutorial/adm/configuration_-_winrm#https_support |
| |
| <code> | <code> |
| >>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm') | >>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm') |
| >>> r = s.run_ps('Write-Host connection test OK') | >>> r = s.run_ps('Write-Host connection test OK') |
| >>> r''For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store '' >>> s = winrm.Session('[[https://HOST:5986/wsman|https://HOST:5986/wsman]]', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem')'' Then, execute the winrm call. Followin call simply instructs the remote powershell to echo "connection test OK". If there some errors or warnings during the call, the python REPL will display them. ''r = s.run_ps('Write-Host connection test OK') '' The fact that there were some stacktraces printed does not necessarily mean the call failed. Now simply print the result by calling ''r''. After executing ''r''you should see something like this (note the "connection test OK" string is there): {{.:winrm_response.png?nolink&400}}==== Common issues ==== === Specified credentials were rejected by the server === Can be caused by: * wrong username or password * user is not in correct user group on the Windows system :tutorial:adm:winrm_rejected.png?nolink&600 === Access denied 500 === Can be caused by: * wrong username or password * WinRM SDDL is not configured === :tutorial:adm:winrm_500.png?nolink& CredSSP handshake error === If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in ''winrm/config/service''. ''class 'requests_credssp.exceptions.AuthenticationException'>(''__''GESHI_QUOT__Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual ''__GESHI_QUOT__,) '' Execute this command to delete __''__CertificateThumbprint'' value from the ''config/service''. ''winrm set winrm/config/service '@{CertificateThumbprint=__GESHI_QUOTGESHI_QUOT__}' '' The configuration of certificate thumbprint in the Listener should remain there. === CredSSP Delegate credentials error === If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off '' <class 'requests_credssp.exceptions.AuthenticationException'>(__GESHI_QUOT__Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual __''GESHI_QUOT__,) __''__ To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example '' WSMAN/myComputer.myDomain.com WSMAN/*.myDomain.com '' You need to restart the computer after that. === x509 attribute parsing error === When calling WinRM over HTTPS, you can encounter following error: '' Traceback (most recent call last): File ''__''GESHI_QUOT__/usr/lib/python2.7/site-packages/OpenSSL/SSL.py__GESHI_QUOT__, line 309, in wrapper _lib.X509_up_ref(x509) AttributeError: 'module' object has no attribute 'X509_up_ref' __''__ This seems to be caused by older versions of the ''cryptography'' python library. Upgrading the library should solve the problem. Since this library is also used by some OS components, we recommend to upgrade it locally only for the user who runs python winrm scripts. === Requests using non-urllib3 backend === <note important>Please note this is **not** a fix to your situation. For more info, look at this Github issue.</note> This affects only ''requests-ntlm'' library and therefore only NTLM authentication. It does not seem to affect the overall function but the warning is at least an annoyance. When you see the warning: '' /usr/lib/python2.7/site-packages/requests_ntlm/requests_ntlm.py:200: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT NoCertificateRetrievedWarning) '' You can confirm the behavior by: - Installing ''requests-ntlm'' locally for the user. - Editing ''~/.local/lib/python2.7/site-packages/requests\_ntlm/requests\_ntlm.py'' and changing the import ''from requests.packages.urllib3.response import HTTPResponse'' to ''from requests.packages.urllib3 import HTTPResponse''. - When running winrm script with NTLM, the warning should no longer pop up. === HTTPS certificate not trusted === Python, by default, uses its own certificate truststore located somewhere under ''/usr/lib/python2.7/…''. If it cannot find it, it uses system-wide truststore provided by ''ca-certificates''. However, you usually do not want to trust so many authorities. Also, your server usually have your certificates and that means you have to add your CA to the truststore. For debugging this (and WinRM at all) you can also use following script: '' import os # there, you can explicitly set path to your CA chain # DO NOT put there server's certificate itself os.environ[''__''GESHI_QUOT__REQUESTS_CA_BUNDLE__GESHI_QUOT__] = __GESHI_QUOT__/path/to/crt/chain.pem__GESHI_QUOT__ from winrm.protocol import Protocol p = Protocol( endpoint='https://SERVER YOU WANT TO CONNECT TO:5986/wsman', transport='CHOOSE AUTHENTICATION METHOD: basic,credssp,ntlm,kerberos', username='USERNAME OR USERNAME@DOMAIN', password='USER PASSWORD') #server_cert_validation='ignore') # put this into the Protocol object constructor to disable certificate validation shell_id = p.open_shell() command_id = p.run_command(shell_id, 'ping', ['1.1.1.1']) std_out, std_err, status_code = p.get_command_output(shell_id, command_id) p.cleanup_command(shell_id, command_id) p.close_shell(shell_id) # this will output all that returned from the WinRM call print __GESHI_QUOT__stdout__GESHI_QUOT__,std_out print __GESHI_QUOT__stderr__GESHI_QUOT__,std_err print __GESHI_QUOT__retcode__GESHI_QUOT__,status_code __''__ === SDDL configuration - access denied === When you try to configure SDDL via command "winrm configSDDL default", after adding some group and clicking on "OK", you will see this error in command line: '' access denied Error number: -2147024891 0x80070005 '' This can be caused, because your user has no permission to change it. For example if only local group "Administrators" had "full control" but for some reason someone remove it, you are not able to add the same group back or any other group back. The only solution is to edit registry. Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service Set value for rootSDDL to O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) After that when you open SDDL config "Administrators" group will be back again with full control permissions. ===== HTTPS support ===== The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. The configuration will be same if we want to use some other certificate, so if you already have certificate you can skip the part where we are generating one. The tested way to generate self signed certificate on linux via tutorial which can be found [[https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15|here]] you should follow whole process except the part with finals steps because for our purpose we don't need to import it to browsers. Now we have certificate which is imported in our windows server and now we can configure the HTTP listener ''winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=''__''GESHI_QUOT__HOSTNAME__GESHI_QUOT__; CertificateThumbprint=__GESHI_QUOT__THUMBPRINT__GESHI>_}' for deleting winrm delete winrm/config/Listener?Address=*+Transport=HTTPS '' | >>> r'' For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store '' >>> s = winrm.Session('[[https://HOST:5986/wsman|https://HOST:5986/wsman]]', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem')'' \\ Then, execute the winrm call. Followin call simply instructs the remote powershell to echo "connection test OK". If there some errors or warnings during the call, the python REPL will display them. ''r = s.run_ps('Write-Host connection test OK') '' The fact that there were some stacktraces printed does not necessarily mean the call failed. Now simply print the result by calling ''r''. After executing ''r''you should see something like this (note the "connection test OK" string is there): {{.:winrm_response.png?nolink&400}}==== Common issues ==== === Specified credentials were rejected by the server === Can be caused by: * wrong username or password * user is not in correct user group on the Windows system :tutorial:adm:winrm_rejected.png?nolink&600 === Access denied 500 === Can be caused by: * wrong username or password * WinRM SDDL is not configured === |
| | |
| | {{.:winrm_500.png?nolink&}} CredSSP handshake error === If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in ''winrm/config/service''. ''class 'requests_credssp.exceptions.AuthenticationException'>(''__''GESHI_QUOT__Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual ''__GESHI_QUOT__,) '' Execute this command to delete __''__CertificateThumbprint'' value from the ''config/service''. ''winrm set winrm/config/service '@{CertificateThumbprint=__GESHI_QUOT____GESHI_QUOT__}' '' The configuration of certificate thumbprint in the Listener should remain there. === CredSSP Delegate credentials error === If you get this error when you are trying to use CredSSP over HTTPS connection. the problem can be that the server with WinRM has credential delegation turned off '' <class 'requests_credssp.exceptions.AuthenticationException'>(__GESHI_QUOT__Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual ''''__''GESHI_QUOT__,) __''__ To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative template\Windows Components\Windows Remote Management (WinRM)\WinRM Service. The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example '' WSMAN/myComputer.myDomain.com WSMAN/*.myDomain.com '' You need to restart the computer after that. === x509 attribute parsing error === When calling WinRM over HTTPS, you can encounter following error: '' Traceback (most recent call last): File ''__''GESHI_QUOT__/usr/lib/python2.7/site-packages/OpenSSL/SSL.py__GESHI_QUOT__, line 309, in wrapper _lib.X509_up_ref(x509) AttributeError: 'module' object has no attribute 'X509_up_ref' __''__ This seems to be caused by older versions of the ''cryptography'' python library. Upgrading the library should solve the problem. Since this library is also used by some OS components, we recommend to upgrade it locally only for the user who runs python winrm scripts. === Requests using non-urllib3 backend === <note important>Please note this is **not** a fix to your situation. For more info, look at this Github issue.</note> This affects only ''requests-ntlm'' library and therefore only NTLM authentication. It does not seem to affect the overall function but the warning is at least an annoyance. When you see the warning: '' /usr/lib/python2.7/site-packages/requests_ntlm/requests_ntlm.py:200: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT NoCertificateRetrievedWarning) '' You can confirm the behavior by: - Installing ''requests-ntlm'' locally for the user. - Editing ''~/.local/lib/python2.7/site-packages/requests\_ntlm/requests\_ntlm.py'' and changing the import ''from requests.packages.urllib3.response import HTTPResponse'' to ''from requests.packages.urllib3 import HTTPResponse''. - When running winrm script with NTLM, the warning should no longer pop up. === HTTPS certificate not trusted === Python, by default, uses its own certificate truststore located somewhere under ''/usr/lib/python2.7/…''. If it cannot find it, it uses system-wide truststore provided by ''ca-certificates''. However, you usually do not want to trust so many authorities. Also, your server usually have your certificates and that means you have to add your CA to the truststore. For debugging this (and WinRM at all) you can also use following script: '' import os # there, you can explicitly set path to your CA chain # DO NOT put there server's certificate itself os.environ[''__''GESHI_QUOT__REQUESTS_CA_BUNDLE__GESHI_QUOT__] = __GESHI_QUOT__/path/to/crt/chain.pem__GESHI_QUOT__ from winrm.protocol import Protocol p = Protocol( endpoint='https://SERVER YOU WANT TO CONNECT TO:5986/wsman', transport='CHOOSE AUTHENTICATION METHOD: basic,credssp,ntlm,kerberos', username='USERNAME OR USERNAME@DOMAIN', password='USER PASSWORD') #server_cert_validation='ignore') # put this into the Protocol object constructor to disable certificate validation shell_id = p.open_shell() command_id = p.run_command(shell_id, 'ping', ['1.1.1.1']) std_out, std_err, status_code = p.get_command_output(shell_id, command_id) p.cleanup_command(shell_id, command_id) p.close_shell(shell_id) # this will output all that returned from the WinRM call print __GESHI_QUOT__stdout__GESHI_QUOT__,std_out print __GESHI_QUOT__stderr__GESHI_QUOT__,std_err print __GESHI_QUOT__retcode__GESHI_QUOT__,status_code __''__ === SDDL configuration - access denied === When you try to configure SDDL via command "winrm configSDDL default", after adding some group and clicking on "OK", you will see this error in command line: '' access denied Error number: -2147024891 0x80070005 '' This can be caused, because your user has no permission to change it. For example if only local group "Administrators" had "full control" but for some reason someone remove it, you are not able to add the same group back or any other group back. The only solution is to edit registry. Navigate to Computer\Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\WSMAN\Service Set value for rootSDDL to O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) After that when you open SDDL config "Administrators" group will be back again with full control permissions. ===== HTTPS support ===== The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. The configuration will be same if we want to use some other certificate, so if you already have certificate you can skip the part where we are generating one. The tested way to generate self signed certificate on linux via tutorial which can be found [[https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15|here]] you should follow whole process except the part with finals steps because for our purpose we don't need to import it to browsers. Now we have certificate which is imported in our windows server and now we can configure the HTTP listener ''winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=''__''GESHI_QUOT__HOSTNAME__GESHI_QUOT__; CertificateThumbprint=__GESHI_QUOT__THUMBPRINT__GESHI>_}' for deleting winrm delete winrm/config/Listener?Address=*+Transport=HTTPS '' |
| |
| Restart WinRM | Restart WinRM |