Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:adm:configuration_-_winrm [2024/02/05 05:17] erbenrtutorial:adm:configuration_-_winrm [2025/10/07 10:28] (current) – [Permission configuration] klimad
Line 16: Line 16:
  
 If you get some error then you need to do the [[https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#quick-default-configuration|quick default configuration]] If you get some error then you need to do the [[https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#quick-default-configuration|quick default configuration]]
 +<code>
 +
 +winrm quickconfig
 +
 +</code>
  
 Now execute the first command again and it should without error now. Now execute the first command again and it should without error now.
 +
  
 ===== Show current configuration ===== ===== Show current configuration =====
Line 25: Line 31:
 <code powershell> <code powershell>
 winrm e winrm/config/listener winrm e winrm/config/listener
- 
  
 </code> </code>
Line 63: Line 68:
 <code powershell> <code powershell>
 winrm set winrm/config/client '@{TrustedHosts="*"}' winrm set winrm/config/client '@{TrustedHosts="*"}'
- 
  
 </code> </code>
Line 74: Line 78:
 winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service/auth '@{Basic="true"}'
 winrm set winrm/config/service '@{AllowUnencrypted="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}'
- 
  
 </code> </code>
Line 82: Line 85:
 <code powershell> <code powershell>
 winrm set winrm/config/service/auth '@{Negotiate="true"}' winrm set winrm/config/service/auth '@{Negotiate="true"}'
- 
  
 </code> </code>
Line 90: Line 92:
 <code powershell> <code powershell>
 winrm set winrm/config/service/auth '@{Kerberos="true"}' winrm set winrm/config/service/auth '@{Kerberos="true"}'
- 
  
 </code> </code>
Line 98: Line 99:
  
 <code powershell> <code powershell>
-winrm set winrm/config/service/auth '@{CredSSP="true"}'===  === +winrm set winrm/config/service/auth '@{CredSSP="true"}'
-{{.:winrm_wmi2.png?400|Level 4 Headline}}+
 winrm set winrm/config/client/auth '@{CredSSP="true"}' winrm set winrm/config/client/auth '@{CredSSP="true"}'
 Enable-WSManCredSSP -Role Server Enable-WSManCredSSP -Role Server
- 
- 
 </code> </code>
- 
 ===== Permission configuration ===== ===== Permission configuration =====
  
Line 112: Line 109:
 Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth It's tested with local user + group and with domain user + group. For the following steps you can use one of these groups WinRMRemoteWMIUsers\_\_ or Remote Management Users It should work with both. Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth It's tested with local user + group and with domain user + group. For the following steps you can use one of these groups WinRMRemoteWMIUsers\_\_ or Remote Management Users It should work with both.
  
-Assign user into group Set WMI access for group.+**Assign WinRM user into group WinRMRemoteWMIUsers__ or Remote Management Users**
  
-* Computer Management → Services and Application → right click WMI Control → Properties * In new dialog window → tab Security → Root → CIMV2 and click button Security * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable * Click on Advanced - select and edit group → Set "Applies to" This namespace and subnamespaces * Confirm all changes in dialog windows and close them+Set WMI access for group. 
 + 
 +  * Computer Management → Services and Application → right click WMI Control → Properties  
 +  * In new dialog window → tab Security → Root → CIMV2 and click button Security 
 +  * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here 
 +  * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable 
 +  * Click on Advanced - select and edit group → Set "Applies to" This namespace and subnamespaces 
 +  * Confirm all changes in dialog windows and close them
  
 {{.:winrm_wmi.png?nolink&600}}{{.:winrm_wmi2.png?nolink&800}} {{.:winrm_wmi.png?nolink&600}}{{.:winrm_wmi2.png?nolink&800}}
Line 122: Line 126:
 <code powershell> <code powershell>
 winrm configSDDL default winrm configSDDL default
- 
  
 </code> </code>
  
-{{.:winrm_sddl.png?nolink&400}}* Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control * Confirm changes Restart WinRM+{{.:winrm_sddl.png?nolink&400}} 
 +  * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control 
 +  * Confirm changes Restart WinRM
  
 <code powershell> <code powershell>
 Restart-Service winrm Restart-Service winrm
- 
  
 </code> </code>
Line 142: Line 146:
 <code shell> <code shell>
 nc -vz HOST PORT nc -vz HOST PORT
- 
  
 </code> </code>
Line 150: Line 153:
 <code powershell> <code powershell>
 Test-WSMan -ComputerName HOST or Test-netConnection HOST -Port PORT Test-WSMan -ComputerName HOST or Test-netConnection HOST -Port PORT
- 
  
 </code> </code>
Line 156: Line 158:
 Now we know if we are able to connect to the WinRM port. In case the port is not accessible it can be probably blocked in firewall. Next we want to try to connect to WinRM. Install [[:devel:documentation:systems:dev:winrm_connector#installation|pywinrm]] follow only the first part of installation, we don't need to install connector server. Open terminal (Linux) or powershell (Windows) Now we know if we are able to connect to the WinRM port. In case the port is not accessible it can be probably blocked in firewall. Next we want to try to connect to WinRM. Install [[:devel:documentation:systems:dev:winrm_connector#installation|pywinrm]] follow only the first part of installation, we don't need to install connector server. Open terminal (Linux) or powershell (Windows)
  
-python>> +<code python>> python>>> import winrm 
- +>>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm')
-<code python>>> +
- import winrm>>> s = winrm.Session('[[http://HOST:5985/wsman|http://HOST:5985/wsman]]', auth=('USER', 'PASS'), transport='ntlm')+
 >>> r = s.run_ps('Write-Host connection test OK') >>> r = s.run_ps('Write-Host connection test OK')
 >>> r >>> r
- 
  
 </code> </code>
Line 168: Line 167:
 For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store
  
-s = winrm.Session('', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem') +<code python>>>> s = winrm.Session('[[https://HOST:5986/wsman|https://HOST:5986/wsman]]', auth=(HOST, PASS), transport='ntlm', ca_trust_path='/etc/ssl/certs/CRT.pem')
- +
-<code python>>>>> +
  
 </code> </code>
Line 179: Line 175:
 <code python> <code python>
 r = s.run_ps('Write-Host connection test OK') r = s.run_ps('Write-Host connection test OK')
- 
  
 </code> </code>
Line 232: Line 227:
 </code> </code>
  
-To turn the credentials delegation on. Open Group policy setting and navigate to Computer ConfigurationAdministrative templateWindows ComponentsWindows Remote Management (WinRM)WinRM Service.+To turn the credentials delegation on. Open Group policy setting and navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation.
  
 The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example The Allow Delegating Fresh Credentials (AllowFreshCredentials) policy setting must be enabled. If it's enabled validate if correct value (values) are added to this policy. The correct value is WSMAN/SPN of your server. For example
Line 299: Line 294:
 print "stderr",std_err print "stderr",std_err
 print "retcode",status_code print "retcode",status_code
- 
  
 </code> </code>
Line 332: Line 326:
  
 Create and export self signed certificate with powershell: Create and export self signed certificate with powershell:
- 
 <code powershell> <code powershell>
 $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export $pathToCertificate="C:\Users\Administrator.ZOO\Desktop\certificate"  ## Specify your preferred location for export
-$hostname='bear.zoo.bcv' #hostname your machine+$hostname='ad.idstory.idm' #hostname your machine
 $params = @{ $params = @{
     Subject = "CN=winrm.$hostname"     Subject = "CN=winrm.$hostname"
-    DnsName = 'bear.zoo.bcv'+    DnsName = 'ad.idstory.idm'
     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers     CertStoreLocation = 'Cert:\LocalMachine\My' #Certificate for WinRM, must be in stored in Local Computers
-    KeyExportPolicy ='Exportable' +    KeyExportPolicy ='Exportable'  
-    KeySpec ='Signature'+    KeySpec ='Signature' 
     KeyLength ='2048'     KeyLength ='2048'
     KeyAlgorithm = 'RSA'     KeyAlgorithm = 'RSA'
Line 347: Line 340:
 } }
  
-#$cert = New-SelfSignedCertificate -Subject "CN=bear.zoo.bcv" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName} 
 $cert = New-SelfSignedCertificate @params $cert = New-SelfSignedCertificate @params
-Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer"+Export-Certificate -Cert $cert -FilePath "$pathToCertificate\$hostname.cer" 
 $mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText  ## Replace {myPassword} $mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText  ## Replace {myPassword}
 Export-PfxCertificate -Cert $cert -FilePath "$pathToCertificate\$hostname.pfx" -Password $mypwd Export-PfxCertificate -Cert $cert -FilePath "$pathToCertificate\$hostname.pfx" -Password $mypwd
- 
 </code> </code>
  
 List certificate in windows certificate storage: List certificate in windows certificate storage:
- 
 <code powershell> <code powershell>
 Get-ChildItem -Path Cert:\LocalMachine\My -Recurse #List certificate stored in Local Computer, and copy certificate thumbrint Get-ChildItem -Path Cert:\LocalMachine\My -Recurse #List certificate stored in Local Computer, and copy certificate thumbrint
- 
 </code> </code>
  
 Configure WinRM listener with HTTPS certficate: Configure WinRM listener with HTTPS certficate:
- 
 <code powershell> <code powershell>
 winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="HOSTNAME";CertificateThumbprint="THUMBPRINT"}' winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="HOSTNAME";CertificateThumbprint="THUMBPRINT"}'
 for deleting for deleting
 winrm delete winrm/config/Listener?Address=*+Transport=HTTPS winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
- 
 </code> </code>
  
 Create firewall rule for WinRM HTTPS: Create firewall rule for WinRM HTTPS:
- 
 <code powershell> <code powershell>
 New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP
- 
 </code> </code>
  
 Restart WinRM Restart WinRM
- 
 <code powershell> <code powershell>
 Restart-Service winrm Restart-Service winrm
- 
 </code> </code>
  
Line 388: Line 371:
  
  
 +===== Powershell 7 support =====
 +
 +Install powershell 7: https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4#installing-the-msi-package
 +
 +Run app ''C:\Program Files\PowerShell\7\pwsh.exe'' and execute
 +<code powershell>
 +Enable-PSRemoting 
 +</code>
  
  
  • by erbenr