Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2019/06/12 10:43]
kucerar 		tutorial:adm:configuration_-_winrm [2019/06/12 12:31]
kucerar
Line 1: Line 1:
 ====== Configuration of WinRM ====== ====== Configuration of WinRM ======
 In this tutorial we will go through configuration of WinRM which is necessary for using [[devel:documentation:systems:dev:winrm_connector|WinRM connector]] In this tutorial we will go through configuration of WinRM which is necessary for using [[devel:documentation:systems:dev:winrm_connector|WinRM connector]]
 +It will cover configuration which we tested on multiple servers together with our connector. It cover just the basic stuff and if you want to study more about this topic you can use official documentation or 3rd party tutorials which will go deeper.
  
 WinRM or Windows remote management, is a remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. WinRM or Windows remote management, is a remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications.
Line 38: Line 39:
  
 You can configure trusted host which will be able to connect. If you don't want to specify this use You can configure trusted host which will be able to connect. If you don't want to specify this use
-<code>winrm set winrm/config/client @{TrustedHosts="*"}</code>+<code>winrm set winrm/config/client '@{TrustedHosts="*"}'</code>
  
 We can use several methods for authentication. We can use several methods for authentication.
   * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.   * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.
-<code>winrm set winrm/config/service/auth @{Basic="true"+<code>winrm set winrm/config/service/auth '@{Basic="true"}' 
-winrm set winrm/config/service @{AllowUnencrypted="true"}+winrm set winrm/config/service '@{AllowUnencrypted="true"}'
 </code> </code>
   * NTLM   * NTLM
-<code>winrm set winrm/config/service/auth @{Negotiate="true"}</code>+<code>winrm set winrm/config/service/auth '@{Negotiate="true"}'</code>
   * Kerberos   * Kerberos
-<code>winrm set winrm/config/service/auth @{Kerberos="true"}</code>+<code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code>
   * CredSSP   * CredSSP
-<code>winrm set winrm/config/service/auth @{CredSSP="true"}</code>+<code>winrm set winrm/config/service/auth '@{CredSSP="true"}'</code>
  
 ==== Permission configuration ==== ==== Permission configuration ====
 +If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it.
 +
 Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth
 It's tested with local user + group and with domain user + group. It's tested with local user + group and with domain user + group.
Line 77: Line 80:
 Restart WinRM Restart WinRM
 <code>Restart-Service winrm</code> <code>Restart-Service winrm</code>
 +
 +==== Debug ====
 +When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips.
 +
 +Check if port is open and ready to connection, default ports are 5985 (HTTP) and 5986 (HTTPS):  
 +Linux <code>nc -vz HOST PORT</code>
 +Windows <code>Test-WSMan -ComputerName HOST
 +or
 +Test-netConnection HOST -Port PORT
 +</code>
 +Now we know if we are able to connect to the WinRM port. In case the port is not accessible it can be probably blocked in firewall.
 +
 +Next we want to try to connect to WinRM. Install [[devel:documentation:systems:dev:winrm_connector#installation|pywinrm]] follow only the first part of installation, we don't need to install connector server.
 +Open terminal (Linux) or powershell (Windows)
 +<code>
 +> python
 +>>> import winrm
 +>>> s = winrm.Session('http://HOST:5985/wsman', auth=('USER', 'PASS'), transport='ntlm')
 +>>> r = s.run_ps('Write-Host connection test OK')
 +>>> r
 +</code>
 +After executing "r" you should see this:
 +{{:tutorial:adm:winrm_response.png?nolink&400|}}
 +
 +Now what we did here? We connect to WinRM via ntlm and executed command Write-Host which is just basic output to console. If there is some misconfiguration in Windows server you will probably get error after executing line 
 +<code>r = s.run_ps('Write-Host connection test OK')</code>
 +
 +=== Commons errors ===
 +the specified credentials were rejected by the server - this error can be caused by:
 +  * wrong username or password
 +  * user is not in group
 +{{:tutorial:adm:winrm_rejected.png?nolink&600|}}
 +
 +Access denied 500  - this error can be caused by:
 +  * wrong username or password
 +  * WinRM SDDL is not configured
 +{{:tutorial:adm:winrm_500.png?nolink|}}
  • by erbenr