Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2019/10/08 13:17] fiserp [Debug] |
tutorial:adm:configuration_-_winrm [2019/10/08 13:47] fiserp [Common issues] |
||
---|---|---|---|
Line 6: | Line 6: | ||
WinRM is a command-line tool. | WinRM is a command-line tool. | ||
- | ==== Check if Winrm is running ==== | + | ===== Check if Winrm is running |
< | < | ||
Line 16: | Line 16: | ||
Now execute the first command again and it should without error now. | Now execute the first command again and it should without error now. | ||
- | ==== Show current configuration ==== | + | ===== Show current configuration |
Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. | Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. | ||
After quick config you will probably see only one listener for HTTP. | After quick config you will probably see only one listener for HTTP. | ||
Line 30: | Line 30: | ||
{{: | {{: | ||
- | ==== Authentications methods ==== | + | ===== Authentications methods |
^ ^ Type of user | **Credential delegation** | ^ ^ Type of user | **Credential delegation** | ||
Line 56: | Line 56: | ||
</ | </ | ||
- | ==== Permission configuration ==== | + | ===== Permission configuration |
If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it. | If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it. | ||
Line 84: | Line 84: | ||
< | < | ||
- | ==== Debug ==== | + | ===== Debugging ===== |
When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips. | When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips. | ||
Line 119: | Line 119: | ||
- | === Commons errors | + | ==== Common issues ==== |
- | **Specified credentials were rejected by the server** - this error can be caused by: | + | === Specified credentials were rejected by the server |
+ | Can be caused by: | ||
* wrong username or password | * wrong username or password | ||
- | * user is not in correct group | + | * user is not in correct |
{{: | {{: | ||
- | **Access denied 500** - this error can be caused by: | + | === Access denied 500 === |
+ | Can be caused by: | ||
* wrong username or password | * wrong username or password | ||
* WinRM SDDL is not configured | * WinRM SDDL is not configured | ||
Line 131: | Line 133: | ||
- | **CredSSP handshake error** | + | === CredSSP handshake error === |
- | If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in '' | + | If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in '' |
< | < | ||
Execute this command to delete '' | Execute this command to delete '' | ||
< | < | ||
+ | The configuration of certificate thumbprint in the Listener should remain there. | ||
+ | === x509 attribute parsing error === | ||
+ | When calling WinRM over HTTPS, you can encounter following error: | ||
+ | <code python> | ||
+ | Traceback (most recent call last): | ||
+ | File "/ | ||
+ | _lib.X509_up_ref(x509) | ||
+ | AttributeError: | ||
+ | </ | ||
+ | This seems to be caused by older versions of the '' | ||
- | ==== HTTPS support ==== | + | === Requests using non-urllib3 backend === |
+ | <note important> | ||
+ | This affects only '' | ||
+ | < | ||
+ | / | ||
+ | NoCertificateRetrievedWarning) | ||
+ | </ | ||
+ | You can confirm the behavior by: | ||
+ | - Installing '' | ||
+ | - Editing '' | ||
+ | - When running winrm script with NTLM, the warning should no longer pop up. | ||
+ | |||
+ | === HTTPS certificate not trusted === | ||
+ | Python, by default, uses its own certificate truststore located somewhere under ''/ | ||
+ | <code python> | ||
+ | import os | ||
+ | # there, you can explicitly set path to your CA chain | ||
+ | os.environ[" | ||
+ | |||
+ | from winrm.protocol import Protocol | ||
+ | |||
+ | p = Protocol( | ||
+ | endpoint=' | ||
+ | transport=' | ||
+ | username=' | ||
+ | password=' | ||
+ | # | ||
+ | shell_id = p.open_shell() | ||
+ | command_id = p.run_command(shell_id, | ||
+ | std_out, std_err, status_code = p.get_command_output(shell_id, | ||
+ | p.cleanup_command(shell_id, | ||
+ | p.close_shell(shell_id) | ||
+ | |||
+ | # this will output all that returned from the WinRM call | ||
+ | print " | ||
+ | print " | ||
+ | print " | ||
+ | </ | ||
+ | ===== HTTPS support | ||
The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. | ||
We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. | We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. |