Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:configuration_-_winrm [2019/08/14 09:41]
kucerar credssp hadnshake error
tutorial:adm:configuration_-_winrm [2019/10/08 13:47] (current)
fiserp [Common issues]
Line 6: Line 6:
 WinRM is a command-line tool. WinRM is a command-line tool.
  
-==== Check if Winrm is running ====+===== Check if Winrm is running ​=====
  
 <​code>​Test-WSMan</​code>​ <​code>​Test-WSMan</​code>​
Line 16: Line 16:
 Now execute the first command again and it should without error now. Now execute the first command again and it should without error now.
  
-==== Show current configuration ====+===== Show current configuration ​=====
 Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections.
 After quick config you will probably see only one listener for HTTP. After quick config you will probably see only one listener for HTTP.
Line 30: Line 30:
 {{:​tutorial:​adm:​winrm_sddl.png?​nolink&​400|}} {{:​tutorial:​adm:​winrm_sddl.png?​nolink&​400|}}
  
-==== Authentications methods ====+===== Authentications methods ​=====
  
 ^           ^ Type of user   | **Credential delegation** ​ | **Message encryption** ​ | ^           ^ Type of user   | **Credential delegation** ​ | **Message encryption** ​ |
Line 56: Line 56:
 </​code>​ </​code>​
  
-==== Permission configuration ====+===== Permission configuration ​=====
 If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it. If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it.
  
Line 84: Line 84:
 <​code>​Restart-Service winrm</​code>​ <​code>​Restart-Service winrm</​code>​
  
-==== Debug ====+===== Debugging =====
 When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips. When you need to check if WinRM is ready for connection but you don't have access to the Windows server to check the configuration yourself use this tips.
  
Line 97: Line 97:
 Next we want to try to connect to WinRM. Install [[devel:​documentation:​systems:​dev:​winrm_connector#​installation|pywinrm]] follow only the first part of installation,​ we don't need to install connector server. Next we want to try to connect to WinRM. Install [[devel:​documentation:​systems:​dev:​winrm_connector#​installation|pywinrm]] follow only the first part of installation,​ we don't need to install connector server.
 Open terminal (Linux) or powershell (Windows) Open terminal (Linux) or powershell (Windows)
-<​code>​+<​code ​python>
 > python > python
 >>>​ import winrm >>>​ import winrm
Line 105: Line 105:
 </​code>​ </​code>​
 For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store For connecting via HTTPS use this lane. The difference is in URL where we need to use https and port 5986. Then we are using one more argument where we specify path to trust store
-<​code>​+<​code ​python>
 >>>​ s = winrm.Session('​https://​HOST:​5986/​wsman',​ auth=(HOST, PASS), transport='​ntlm',​ ca_trust_path='/​etc/​ssl/​certs/​CRT.pem'​) >>>​ s = winrm.Session('​https://​HOST:​5986/​wsman',​ auth=(HOST, PASS), transport='​ntlm',​ ca_trust_path='/​etc/​ssl/​certs/​CRT.pem'​)
 </​code>​ </​code>​
-After executing "​r"​ you should see this: 
-{{:​tutorial:​adm:​winrm_response.png?​nolink&​400|}} 
  
-Now what we did here? We connect ​to WinRM via ntlm and executed command Write-Host which is just basic output to console. If there is some misconfiguration in Windows server you will probably get error after executing line +Then, execute the winrm call. Followin call simply instructs the remote powershell ​to echo "​connection test OK". If there some errors or warnings during the call, the python REPL will display them.
 <​code>​r = s.run_ps('​Write-Host connection test OK'​)</​code>​ <​code>​r = s.run_ps('​Write-Host connection test OK'​)</​code>​
  
-=== Commons errors ​=== +The fact that there were some stacktraces printed does not necessarily mean the call failed. 
-the specified ​credentials were rejected by the server ​- this error can be caused by:+ 
 +Now simply print the result by calling ''​r''​. After executing ''​r''​you should see something like this (note the "​connection test OK" string is there): 
 +{{:​tutorial:​adm:​winrm_response.png?​nolink&​400|}} 
 + 
 + 
 + 
 +==== Common issues ==== 
 +=== Specified ​credentials were rejected by the server ​=== 
 +Can be caused by:
   * wrong username or password   * wrong username or password
-  * user is not in group+  * user is not in correct user group on the Windows system
 {{:​tutorial:​adm:​winrm_rejected.png?​nolink&​600|}} {{:​tutorial:​adm:​winrm_rejected.png?​nolink&​600|}}
  
-Access denied 500  - this error can be caused by:+=== Access denied 500 === 
 +Can be caused by:
   * wrong username or password   * wrong username or password
   * WinRM SDDL is not configured   * WinRM SDDL is not configured
Line 126: Line 133:
  
  
-CredSSP handshake error   +=== CredSSP handshake error === 
-If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in config/​service ​  +If you get this error when you trying to use CredSSP over HTTPS connection, the problem can be that there is configured certificate thumbprint directly in ''​winrm/​config/​service''​. 
-class '​requests_credssp.exceptions.AuthenticationException'>​("​Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual ''",​) ​  +<​code>​class '​requests_credssp.exceptions.AuthenticationException'>​("​Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual ''",​)</​code>​ 
-  +Execute this command to delete ''​CertificateThumbprint''​ value from the ''​config/​service''​.
 <​code>​winrm set winrm/​config/​service '​@{CertificateThumbprint=""​}'</​code>​ <​code>​winrm set winrm/​config/​service '​@{CertificateThumbprint=""​}'</​code>​
 +The configuration of certificate thumbprint in the Listener should remain there.
  
 +=== x509 attribute parsing error ===
 +When calling WinRM over HTTPS, you can encounter following error:
 +<code python>
 +Traceback (most recent call last):
 +  File "/​usr/​lib/​python2.7/​site-packages/​OpenSSL/​SSL.py",​ line 309, in wrapper
 +    _lib.X509_up_ref(x509)
 +AttributeError:​ '​module'​ object has no attribute '​X509_up_ref'​
 +</​code>​
 +This seems to be caused by older versions of the ''​cryptography''​ python library. Upgrading the library should solve the problem. Since this library is also used by some OS components, we recommend to upgrade it locally only for the user who runs python winrm scripts.
  
-==== HTTPS support ====+=== Requests using non-urllib3 backend === 
 +<note important>​Please note this is **not** a fix to your situation. For more info, look at [[https://​github.com/​requests/​requests-kerberos/​issues/​128|this Github issue]].</​note>​ 
 +This affects only ''​requests-ntlm''​ library and therefore only NTLM authentication. It does not seem to affect the overall function but the warning is at least an annoyance. When you see the warning: 
 +<​code>​ 
 +/​usr/​lib/​python2.7/​site-packages/​requests_ntlm/​requests_ntlm.py:​200:​ NoCertificateRetrievedWarning:​ Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT 
 +  NoCertificateRetrievedWarning) 
 +</​code>​ 
 +You can confirm the behavior by: 
 +  - Installing ''​requests-ntlm''​ locally for the user. 
 +  - Editing ''​~/​.local/​lib/​python2.7/​site-packages/​requests\_ntlm/​requests\_ntlm.py''​ and changing the import ''​from requests.packages.urllib3.response import HTTPResponse''​ to ''​from requests.packages.urllib3 import HTTPResponse''​. 
 +  - When running winrm script with NTLM, the warning should no longer pop up. 
 + 
 +=== HTTPS certificate not trusted === 
 +Python, by default, uses its own certificate truststore located somewhere under ''/​usr/​lib/​python2.7/​...''​. If it cannot find it, it uses system-wide truststore provided by ''​ca-certificates''​. However, you usually do not want to trust so many authorities. Also, your server usually have your certificates and that means you have to add your CA to the truststore. For debugging this (and WinRM at all) you can also use following script: 
 +<code python>​ 
 +import os 
 +# there, you can explicitly set path to your CA chain 
 +os.environ["​REQUESTS_CA_BUNDLE"​] = "/​path/​to/​crt/​chain.pem"​ 
 + 
 +from winrm.protocol import Protocol 
 + 
 +p = Protocol( 
 +    endpoint='​https://​SERVER YOU WANT TO CONNECT TO:​5986/​wsman',​ 
 +    transport='​CHOOSE AUTHENTICATION METHOD: basic,​credssp,​ntlm,​kerberos',​ 
 +    username='​USERNAME OR USERNAME@DOMAIN',​ 
 +    password='​USER PASSWORD'​) 
 +#​server_cert_validation='​ignore'​) ​           # put this into the Protocol object constructor to disable certificate validation 
 +shell_id = p.open_shell() 
 +command_id = p.run_command(shell_id,​ '​ping',​ ['​1.1.1.1'​]) 
 +std_out, std_err, status_code = p.get_command_output(shell_id,​ command_id) 
 +p.cleanup_command(shell_id,​ command_id) 
 +p.close_shell(shell_id) 
 + 
 +# this will output all that returned from the WinRM call 
 +print "​stdout",​std_out 
 +print "​stderr",​std_err 
 +print "​retcode",​status_code 
 +</​code>​ 
 +===== HTTPS support ​=====
 The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client.
 We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate. We need to create HTTPS listener and for this we will need some certificate. In this tutorial we will cover setting up WinRM with self signed certificate.