Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2024/01/30 06:45]
erbenr 		tutorial:adm:configuration_-_winrm [2024/02/05 05:17]
erbenr
Line 9: Line 9:
 <code powershell> <code powershell>
 Test-WSMan Test-WSMan
 +
  
 </code> </code>
Line 24: Line 25:
 <code powershell> <code powershell>
 winrm e winrm/config/listener winrm e winrm/config/listener
 +
  
 </code> </code>
Line 61: Line 63:
 <code powershell> <code powershell>
 winrm set winrm/config/client '@{TrustedHosts="*"}' winrm set winrm/config/client '@{TrustedHosts="*"}'
 +
  
 </code> </code>
Line 71: Line 74:
 winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service/auth '@{Basic="true"}'
 winrm set winrm/config/service '@{AllowUnencrypted="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}'
 +
  
 </code> </code>
Line 78: Line 82:
 <code powershell> <code powershell>
 winrm set winrm/config/service/auth '@{Negotiate="true"}' winrm set winrm/config/service/auth '@{Negotiate="true"}'
 +
  
 </code> </code>
Line 85: Line 90:
 <code powershell> <code powershell>
 winrm set winrm/config/service/auth '@{Kerberos="true"}' winrm set winrm/config/service/auth '@{Kerberos="true"}'
 +
  
 </code> </code>
Line 96: Line 102:
 winrm set winrm/config/client/auth '@{CredSSP="true"}' winrm set winrm/config/client/auth '@{CredSSP="true"}'
 Enable-WSManCredSSP -Role Server Enable-WSManCredSSP -Role Server
 +
  
 </code> </code>
Line 115: Line 122:
 <code powershell> <code powershell>
 winrm configSDDL default winrm configSDDL default
 +
  
 </code> </code>
Line 122: Line 130:
 <code powershell> <code powershell>
 Restart-Service winrm Restart-Service winrm
 +
  
 </code> </code>
Line 133: Line 142:
 <code shell> <code shell>
 nc -vz HOST PORT nc -vz HOST PORT
 +
  
 </code> </code>
Line 140: Line 150:
 <code powershell> <code powershell>
 Test-WSMan -ComputerName HOST or Test-netConnection HOST -Port PORT Test-WSMan -ComputerName HOST or Test-netConnection HOST -Port PORT
 +
  
 </code> </code>
Line 145: Line 156:
 Now we know if we are able to connect to the WinRM port. In case the port is not accessible it can be probably blocked in firewall. Next we want to try to connect to WinRM. Install [[:devel:documentation:systems:dev:winrm_connector#installation|pywinrm]] follow only the first part of installation, we don't need to install connector server. Open terminal (Linux) or powershell (Windows) Now we know if we are able to connect to the WinRM port. In case the port is not accessible it can be probably blocked in firewall. Next we want to try to connect to WinRM. Install [[:devel:documentation:systems:dev:winrm_connector#installation|pywinrm]] follow only the first part of installation, we don't need to install connector server. Open terminal (Linux) or powershell (Windows)
  
-<code python>> python>>> import winrm +python>> 
->>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm')+ 
 +<code python>>> 
 + import winrm>>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm')
 >>> r = s.run_ps('Write-Host connection test OK') >>> r = s.run_ps('Write-Host connection test OK')
 >>> r >>> r
 +
  
 </code> </code>
Line 154: Line 168:
 For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store
  
-<code python>>>> s = winrm.Session('[[https://HOST:5986/wsman|https://HOST:5986/wsman]]', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem')+s = winrm.Session('', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem') 
 + 
 +<code python>>>>> 
  
 </code> </code>
Line 162: Line 179:
 <code python> <code python>
 r = s.run_ps('Write-Host connection test OK') r = s.run_ps('Write-Host connection test OK')
 +
  
 </code> </code>
Line 281: Line 299:
 print "stderr",std_err print "stderr",std_err
 print "retcode",status_code print "retcode",status_code
 +
  
 </code> </code>
Line 309: Line 328:
  
 The tested way to generate self signed certificate on linux via tutorial which can be found [[https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15|here]] you should follow whole process except the part with finals steps because for our purpose we don't need to import it to browsers. The tested way to generate self signed certificate on linux via tutorial which can be found [[https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15|here]] you should follow whole process except the part with finals steps because for our purpose we don't need to import it to browsers.
-Create and export self signed certificate with powershell: 
  
 Now we have certificate which is imported in our windows server and now we can configure the HTTP listener Now we have certificate which is imported in our windows server and now we can configure the HTTP listener
 +
 +Create and export self signed certificate with powershell:
 +
 <code powershell> <code powershell>
 $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export
Line 319: Line 340:
     DnsName = 'bear.zoo.bcv'     DnsName = 'bear.zoo.bcv'
     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers
-    KeyExportPolicy ='Exportable'  +    KeyExportPolicy ='Exportable' 
-    KeySpec ='Signature' +    KeySpec ='Signature'
     KeyLength ='2048'     KeyLength ='2048'
     KeyAlgorithm = 'RSA'     KeyAlgorithm = 'RSA'
Line 328: Line 349:
 #$cert = New-SelfSignedCertificate -Subject "CN=bear.zoo.bcv" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName} #$cert = New-SelfSignedCertificate -Subject "CN=bear.zoo.bcv" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName}
 $cert = New-SelfSignedCertificate @params $cert = New-SelfSignedCertificate @params
-Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer" +Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer"
 $mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText  ## Replace {myPassword} $mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText  ## Replace {myPassword}
 Export-PfxCertificate -Cert $cert -FilePath "$pathToCertificate\$hostname.pfx" -Password $mypwd Export-PfxCertificate -Cert $cert -FilePath "$pathToCertificate\$hostname.pfx" -Password $mypwd
 +
 </code> </code>
  
 List certificate in windows certificate storage: List certificate in windows certificate storage:
 +
 <code powershell> <code powershell>
 Get-ChildItem -Path Cert:\LocalMachine\My -Recurse #List certificate stored in Local Computer, and copy certificate thumbrint Get-ChildItem -Path Cert:\LocalMachine\My -Recurse #List certificate stored in Local Computer, and copy certificate thumbrint
 +
 </code> </code>
  
 Configure WinRM listener with HTTPS certficate: Configure WinRM listener with HTTPS certficate:
 +
 <code powershell> <code powershell>
 winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="HOSTNAME";CertificateThumbprint="THUMBPRINT"}' winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="HOSTNAME";CertificateThumbprint="THUMBPRINT"}'
 for deleting for deleting
 winrm delete winrm/config/Listener?Address=*+Transport=HTTPS winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
 +
 +</code>
 +
 +Create firewall rule for WinRM HTTPS:
 +
 +<code powershell>
 +New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP
 +
 </code> </code>
  
  • by erbenr