We have a few servers where the WinRM authentication is failing using the local admin account and the certificate because of the rejected credentials:
msg: certificate: the specified credentials were rejected by the server
Note that we have used the exact same setup on other servers and it works there. What's the issue/difference here compared to the other servers?
We have also tried all the known "workarounds" like adding the REG_DWORD "ClientAuthTrustMode" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" but it didn't help.
The WinRM HTTPS listener is properly configured and certificate authentication is allowed.
The error from the event log:
Provider Health: The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again.
Details:
ProviderName=WSMan
ExceptionClass=ProviderInvocationException
ErrorCategory=InvalidOperation
ErrorId=WsManError
ErrorMessage=The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again.
Any ideas?
Related
how to add a trusted CA for local Consul docker container?
So I have a consul running as a docker container and I am able to access it using chrome at localhost:8500 after exposing the ports, as expected. But due to company setting there is a security CA being added that chrome trusts, since it is added to MacOS keychain, but consul does not seems to trust when I try to use golang library to connect to consul
x509: “Menlo Security Intermediate CA” certificate is not trusted"
I get a certificate is not trusted error. I am able to export the CA to a RootCA.cer file from the keychain but how do I configure consul image to trust this CA file?
https://iotech.force.com/edgexpert/s/article/secure-consul-tls
I see articles like this
ca_file is used to check the authenticity of the client and server connections
cert_file is provided to clients and server to verify the agent's authenticity
key_file is used with the certificate to verify the agent's authenticity
but for me, the .cer export file will be used as cert_file?
how should I do it in docker compose?
consul:
image: dockerproxy.comp.com/consul:latest
ports:
- "9500:9500"
A hostname verifier is useful when an SSL client connects to an application server on a remote host. This ensures that the hostname in the URL to which the client tries to connects matches with the hostname in the digital certificate that the server sends back as a part of the SSL handshake. Host name verification is performed only by an SSL client.
ERROR — TargetHandler I/O error: Host name verification failed for host : 72.20.5.110
javax.net.ssl.SSLException: Host name verification failed for host : <host-name> at org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:152) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:285)
How WebClient verifies the server host name by default and how can we disable this?
I have installed Mirth connect and it is running on https://example.com:8443 but it throwing https warning. If I run https://example.com it doesn't show any warning because ssl certificate is instaled. The issue is with the port. Please help me out from this problem.
Thanks.
Mirth Connect generates a new self-signed certificate on first startup. You can replace this with your own cert, it's the "mirthconnect" alias in the keystore.jks file. Follow the Changing The Server Certificate section in the user guide.
I'm new to Windows Azure Server configurations, and I'm trying to configure the FTP Connection. But when I access the Server with FileZilla it doesn't work. What am I doing wrong here?
I'm using IIS with FTP Server Roles installed.
Following is the error log from FileZilla
Status: Resolving address of AZR-SRV-map01.cloudapp.net
Status: Connecting to 52.187.64.207:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (52,187,64,207,195,237).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
I also tried the following steps in configuring the FTP Connection...
Here the endpoints have being configured from the Azure Portal.
This is how I published the FTP Site
Configured the FTP Firewall Support with the Azure Server Public IP
And enabled the firewall outbound and inbound rules..
After completing all the steps, I restarted the Microsoft FTP Service, but the problem still exists.
For now, we can't configure a active mode FTP on Azure VM. we should configure data channel port range in FTP Firewall Support, FTP work in passive mode. For example, we can use 10000-10010 ports as the data channel port range. Also, we should add ports to VM's endpoints and add then to VM's firewall inbound rules.
By the way, although the windows firewall seems to allow all traffic that’s required, we also need to enable stateful FTP filtering on the firewall:
netsh advfirewall set global StatefulFtp enable
Then restart the FTP windows service and we should be up and running:
net stop ftpsvc
net start ftpsvc
Here a case similar as you, please refer to it.
I am building a playbook in Ansible that will add some DNS entries to multiple Windows 2012 R2 domain controllers (DC). When attempting to authenticate over HTTP the DC rejects my credentials.
I have followed the documentation on the Ansible website to configure kerberos on my control machine.
http://docs.ansible.com/ansible/intro_windows.html#active-directory-support
I have also confirmed that I can log into the domain using my credentials:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my-user#<REDACTED>
Valid starting Expires Service principal
10/06/2016 09:47:03 10/06/2016 19:47:03 krbtgt/<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:47:48 10/06/2016 19:47:03 HTTP/phx-dev-mwad01.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:54:15 10/06/2016 19:47:03 HTTP/phx-dev-mwad02.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 12:08:28 10/06/2016 19:47:03 HTTP/phx-dev-want01.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
I redacted the domain for security purposes.
Here is my config file for winrm:
ansible_user: my-user#<REDACTED>
ansible_password: SomePass
ansible_port: 5985
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
I am able to connect to the windows servers over port 5986 (HTTPS), however in production the domain controllers are not configured for 5986 so Ansible must be able to establish the connection over port 5985 (HTTP). This requirement will not change in production.
When attempting the connection over 5985 my credentials are rejected;
fatal: [phx-dev-mwad02]: UNREACHABLE! => {"changed": false, "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", "unreachable": true}
WinRM is set to allow remote management:
$winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
Here is a gist to our WinRM configuration:
https://gist.github.com/anonymous/f2baaff517287c535453dbba4ef03b69
And yes, I have confirmed that my credentials are correct.
Look at AllowUnencrypted = false in your winrm server's config. It seems for now python winrm doesn't support message encryption without https. As workaround you can set it to true, which is insecure, so I strongly do not recommend this (cmd):
winrm set winrm/config/service #{AllowUnencrypted="true"}
See HTTP or HTTPS endpoint section of https://pypi.python.org/pypi/pywinrm