Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2019/06/12 12:31]
kucerar 		tutorial:adm:configuration_-_winrm [2019/07/24 12:19]
kucerar [Debug]
Line 51: Line 51:
 <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code> <code>winrm set winrm/config/service/auth '@{Kerberos="true"}'</code>
   * CredSSP   * CredSSP
-<code>winrm set winrm/config/service/auth '@{CredSSP="true"}'</code>+<code>winrm set winrm/config/service/auth '@{CredSSP="true"}' 
 +winrm set winrm/config/client/auth '@{CredSSP="true"}' 
 +Enable-WSManCredSSP -Role Server 
 +</code>
  
 ==== Permission configuration ==== ==== Permission configuration ====
Line 100: Line 103:
 >>> r = s.run_ps('Write-Host connection test OK') >>> r = s.run_ps('Write-Host connection test OK')
 >>> r >>> r
 +</code>
 +For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store
 +<code>
 +>>> s = winrm.Session('https://HOST:5986/wsman', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem')
 </code> </code>
 After executing "r" you should see this: After executing "r" you should see this:
Line 117: Line 124:
   * WinRM SDDL is not configured   * WinRM SDDL is not configured
 {{:tutorial:adm:winrm_500.png?nolink|}} {{:tutorial:adm:winrm_500.png?nolink|}}
 +
 +==== HTTPS support ====
 +The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client.
 +We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate.
 +The configuration will be same if we want to use some other certificate, so if you already have certificate you can skip the part where we are generating one.
 +
 +The tested way to generate self signed certificate on linux via tutorial which can be found [[https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15|here]] you should follow whole process except the part with finals steps because for our purpose we don't need to import it to browsers.
 +
 +Now we have certificate which is imported in our windows server and now we can configure the HTTP listener
 +<code>winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="HOSTNAME"; CertificateThumbprint="THUMBPRINT"}'
 +for deleting
 +winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
 +</code>
 +
 +Restart WinRM
 +<code>Restart-Service winrm</code>
 +
 +Next step is to validate if we can connect to HTTPS listener so follow instruction in section debug and validate if HTTPS port is accessible.
 +Before we try to execute some powershell command via WinRM we need to import this certificate into client trust store and pass the path to this store as parameter - see debug section
  • by erbenr