I have been struggling to find a solution for the following errors when I configure Forwarding Windows Events to a collector using source initiated http (I followed most blogs on configuration). The error is:
ErrorCode 2150859195
ErrorMessage The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config.
So far, I have tried to add the collector IP to the client's TrustedHosts and vice versa; add NetworkService account to the Event Log Readers group.
I felt lucky to figure it out and wanted to share here to help others. At least, after I made the following change on the source computers, I worked well now.
use FQDN not the IP address of the collector. I do not know why
enable WinRM listeners policy, set both IPv4 and IPv6 value to *
Related
I installed ws2016 server as a domain controller on virtualbox using internal network .
Everything was successfully installed about active directory and i created domain name as 'stark.local'
Also i created another ws2016 on virtualbox using internal network and I want to join new virtual machine to my domain controller.
Can ping dns server(which is my domain controller) and also Firewall off, no anti-virus installed.
However when i try to join dc it gives below error;
what i realized that i can not make nslookup to my dns server ip.
Even if on domain controller can not nslookup its self.
ipconfig of Domain Controller
ipconfig of node1;
I had no hair now and need your help.
Finally solved!
The problem was using internal network. I changed to host-only network and it worked.
AC DC
Using public IP addresses will always get you in trouble, try changing them to something like:
192.168.1.10 & 192.168.1.20
(Please read entire answer before modifying)
Also, i would recommend checking this link on the official microsoft forum. I know it's from windows 7, but i think the main problem you have is with the DNS configuration and it's very well explained there.
I'll summarise the link above here:
#Meinolf Weber's answer
If domain machines contain public DNS servers as 200.88.127.23 and 196.3.81.5 you will always have trouble.
Remove them on ALL domain machines and run ipconfig /flushdns and ipconfig /registerdns and reboot clients and domain member servers and restart the netlogon service on DCs instead reboot.
For internet access please configure the FORWARDERS in the DNS server properties in the DNS management console with the public DNS servers.
Explanation:
You can't join a machine to the domain using public IP because it is trying to locate your domain to the public IP which has not information of the private build domain.
Use only local IP in the clients NIC.
Hope it helps, if not please give more detailed information of the issue as well as the DNS configuration (screenshot or whatever you can).
EDIT 1: also check "time settings" on both machines, i know it might seem silly, but that sometimes gives DNS and DC issues. Check IPv6, could be another probable cause of the issues you're having (Go to the network and sharing center, modify the properties of the NIC and unselect TCP/IPv6).
I'd check first IPv6, that'll save you work if it's only that.
EDIT 2: again, i would recommend changing the IPs (if possible) to another network, as long as the 169.254.x.x is used (assigned) when there's no DHCP server, but as you say they can ping to each other, it may not be necessary the problem.
I can see there's no router in the network but, a Windows Server should be providing DHCP, otherwise things like DNS suffix don't work.
So check that:
- You have the DNS role installed and configured to support AD.
SOLVED on answer below
The explanation i would give for this is that "secure communication" is an often requirement, thing that internal network doesn't provide.
I am fairly new to PowerShell so please forgive me if the question looks stupid.
I am trying to configure VPN Connections using PowerShell. With the help of PowerShell ISE, I have no trouble creating a VPN connection and configuring VPN specifics. However I also need to set the DNS server of this VPN to 8.8.8.8, a task of which none of the cmdlets in VpnClient module is capable. I figured that all the settings in "Networking" tab is not accessed by VpnClient module so I tried DnsClient, NetAdapter,NetTCPIP and NetConnection, but the commands in these module all need a parameter called either Name or InterfaceAlias.
I successfully changed the DNS Configuration of my Ethernet Adapter by Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 8.8.8.8,8.8.4.4. However, if I give my vpn name to -InterfaceAlias option then PowerShell gives out an error, saying it cannot find such InterfaceAlias.
I listed all interfaces on my Windows but there's no sign of any vpn connection.
All helps are appreciated, thank you!
Thanks to #DavidBrabant, it seems that it is a bug that Microsoft has not fixed since Windows Vista. I then followed one of the solutions on that kb article: using .Net Class.
The result is still the same as before: no sign of any vpn connection. My input and output look like this:
PS C:\WINDOWS\system32> [System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces().NetworkInterfaceType
Wireless80211
Wireless80211
Ethernet
Loopback
Tunnel
Tunnel
I haven't tried the second resolution which is "Use the GetAdaptersAddresses API" because I don't know how. Anyone knows? Or did I miss something from the .Net framework?
Since I can't comment and/or +1 anything because of switching to new account. I want to mention that above Antonio's solution works just fine. You have to use common sense and understand things a little more. I will elaborate on Antonio's message. Understand that the people who are answering you are either coding professionals or IT professionals. So they answer in assumption you are one as well. Please do not -1 anything if you haven't tried it and don't understand it. ASK they will help you and explain more if needed.
Set-DnsClientServerAddress -InterfaceAlias Corporate -ServerAddresses 8.8.8.8
Let's break this down. So what is this saying?
Set-DnsClientServerAddress
This is assuming you're already connected to the VPN. as Antonio actually mentioned.
you have to connect to the VPN first
Ok now that we have the understanding that this command through powershell assumes we're connected to the VPN (Only 1 by the way not more than 1).
Let's tackle the rest of the command.
-InterfaceAlias Corporate
Ok so those who code undestand that -InterfaceAlias is a Parameter to the Set-DnsClientServerAddress command. Then following that parameter you have attributes. Now that attribute can either be TEXT (aka a String) or a boolean value (aka $True or $False). So in this case he is saying that his vpn is called Corporate. Now with most Windows stuff. Windows will accept strings un quoted if it's all 1 word. However if your VPN Name has a space in it then it will not accept it. you would have to encapsulate your string with quotes. for example.
-InterfaceAlias "My VPN"
So in this case you need to know what your VPN Name is. If you don't know what your VPN Name is, please go to the following location.
Control Panel -> Netwok and Sharing Center -> Change Adapter Settings (left hand side) -> net find your VPN Adapter.
Alright so the last bit.
-ServerAddresses 8.8.8.8
So this ServerAddresses property is already strictly data typed to an IP address or multiple IP addreseses. So in this case you would need to know the DNS Server you wish to request DNS resolution from and replace it (8.8.8.8 = Google outside DNS server). So for example
-ServerAddresses 10.1.10.254
Now this will set the DNS server to be 10.1.10.254 for this VPN Adapter.
Kill the VPN and then start it up again. Open a command prompt and type the following
ipconfig/all
This will show you all your current adapters. For your VPN adapter it should show your updated DNS. If you still can't resolve DNS names it possibly has to do with your Type of DNS server and you will have to probably specify a DNS suffix manually as well. See the following article for more details.
https://superuser.com/questions/966832/windows-10-dns-resolution-via-vpn-connection-not-working
Hope this helped. Sometimes us Senior IT guys just don't have the time to type it all out for business owners and/or new to the trade IT personnel.
-Grafix
To be able to change the interface DNS of a windows VPN you have to connect to the VPN first then use the PS command
Set-DnsClientServerAddress -InterfaceAlias Corporate -ServerAddresses 8.8.8.8
I did it and after that I was able to join the windows 10 to the domain; also first you have to create the VPN using the PS command
Add-VpnConnection -Name "My VPN" -ServerAddress "x.x.x.x" -TunnelType Pptp -EncryptionLevel Required -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential -PassThru
I have been struggling to deal with winrm and TrustedHosts but to no avail. After some experimenting I found out the this field of winrm/config/client is limited up to 1023 symbols which is way not enough especially if adding hosts by their ipv6.
I quote from Installation and Configuration for Windows Remote Management: A trusted hosts list should be set up when mutual authentication cannot be established.
Also in the same file the text says: Other computers in a workgroup or computers in a different domain should be added to this list. So I thought that this implies that as long as two computers are in the same domain, I should be able to access one of them from the other using winrm.
I tried to add two computers to a test domain and the executed:
winrm get winrm/config/client -r:192.168.100.1 -u:user -p:pass
From one of them to the other, but this failed with the error:
WSManFault
Message = The WinRM client cannot process the request. If the authentication
scheme is different from Kerberos, or if the client computer is not joined to a
domain, then HTTPS transport must be used or the destination machine must be ad
ded to the TrustedHosts configuration setting. Use winrm.cmd to configure Truste
dHosts. You can get more information about that by running the following command
: winrm help config.
Error number: -2144108316 0x803380E4
The WinRM client cannot process the request. If the authentication scheme is dif
ferent from Kerberos, or if the client computer is not joined to a domain, then
HTTPS transport must be used or the destination machine must be added to the Tru
stedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. You ca
n get more information about that by running the following command: winrm help c
onfig.
After adding 192.168.100.1 to TrustedHosts the query above succeeds. So my question is: is it possible to use winrm between two hosts without modifying TrustedHosts? Setting Trusted hosts to * is not an option for me.
If both machines are on the same domain, you should be able to use the ComputerName instead of the IP address. When you use the IP address you're pretty much forced to use TrustedHosts from what I've seen.
I'm at a loss to explain this behavior with web servers on windows. It's in a domain environment with windows firewall set as domain policy.
local web servers - both as localhost:port and FQDM:port
Tomcat OK
IIS OK
WEBrick OK
Jenkin's server - OK
remote access - using FQDM:port
Tomcat No connection
IIS No connection
WEBrick OK
Jenkin's server - OK
What I don't understand what WEBRick and the server Jenkins uses to accept remote connections.
Are there other diagnostics I should look into?
Is it possible to configure Tomcat to use a similar approach?
I can't tell much about WEBRick or Jenkins, but for Tomcat - if you look at Tomcat 7 source (StandardServer.java), you'll see:
// Set up a server socket to wait on
try {
awaitSocket = new ServerSocket(port, 1,
InetAddress.getByName(address));
} catch (IOException e) { ... }
This means, whatever you specify in address (in your server.xml), goes through this.
The contract of InetAddress.getByName says:
The host name can either be a machine name, such as "java.sun.com", or
a textual representation of its IP address. If a literal IP address is
supplied, only the validity of the address format is checked.
If I was you, I'd try setting just the IP address first and see if there are any problems.
The second step is to check whether you have got local name resolution policy incorrect (hosts file). I've been in situations where local hosts file was incorrect or contained non-resolvable entries, causing all sorts of weird issues like the one you're having.
It sounds like your remote request are never reaching the services that don't reply. And that implies it's a firewall or NAT issue. I don't think it's a configuration issue since you said from the local machine localhost:port and FQDN:port both work.
To diagnose, a good first step is to see if there is any communication remotely with telnet.
telnet hostname port
If you don't see a Connected to FQDN. response, then a firewall, hardware or the local software firewall, blocked the connection. You will need to make sure the firewalls in the way have all the proper ports open, forwarding, etc.
I developed a client/server simulation application. I deployed client and server on two different Windows XP machines. Somehow, the client is not able to send requests to the server.
I tried below options:
Pinged server machine successfully from client using ip-address.
Pinged client machine successfully from server using ip-address.
Checked netstat command line tool from both machines. Server is in LISTENING mode and client is in SYS_SENT mode. But the foreign address it is using to send is host name not the ip address.
Pinged server machine unsuccessfully using host name from client.
Pinged client machine successfully using host name from server.
I feel the problem is when the client is trying to connect to the server using the host name.
Could you please let me know how to force an application to use an ip address instead of a host name? Is there any other way to map the host name to an ip address?
Go to your client machine and type in:
nslookup server.company.com
substituting the real host name of your server for server.company.com, of course.
That should tell you which DNS server your client is using (if any) and what it thinks the problem is with the name.
To force an application to use an IP address, generally you just configure it to use the IP address instead of a host name. If the host name is hard-coded, or the application insists on using a host name in preference to an IP address (as one of your other comments seems to indicate), then you're probably out of luck there.
However, you can change the way that most machine resolve the host names, such as with /etc/resolv.conf and /etc/hosts on UNIXy systems and a local hosts file on Windows-y systems.
Try tracert to resolve the hostname. IE you have Ip address 8.8.8.8 so you would use; tracert 8.8.8.8
You could use a C function getaddrinfo() to get the numerical address - both ipv4 and ipv6.
See the example code here
This is hard to answer without more detail about the network architecture. Some things to investigate are:
Is it possible that client and/or server is behind a NAT device, a firewall, or similar?
Is any of the IP addresses involved a "local" address, like 192.168.x.y or 10.x.y.z?
What are the host names, are they "real" DNS:able names or something more local and/or Windows-specific?
How does the client look up the server? There must be a place in code or config data that holds the host name, simply try using the IP there instead if you want to avoid the lookup.
Windows XP has the Windows Firewall which can interfere with network traffic if not configured properly. You can turn off the Windows Firewall, if you have administrator privileges, by accessing the Windows Firewall applet through the Control Panel. If your application works with the Windows Firewall turned off then the problem is probably due to the settings of the firewall.
We have an application which runs on multiple PCs communicating using UDP/IP and we have been doing experiments so that the application can run on a PC with a user who does not have administrator privileges. In order for our application to communicate between multiple PCs we have had to use an administrator account to modify the Windows Firewall settings.
In our application, one PC is designated as the server and the others are clients in a server/client group and there may be several groups on the same subnet.
The first change was to use the functionality of the Exceptions tab of the Windows Firewall applet to create an exception for the port that we use for communication.
We are using host name lookup so that the clients can locate their assigned server by using the computer name which is composed of a mnemonic prefix with a dash followed by an assigned terminal number (for instance SERVER100-1). This allows several servers with their assigned clients to coexist on the same subnet. The client uses its prefix to generate the computer name for the assigned server and to then use host name lookup to discover the IP address of the assigned server.
What we found is that the host name lookup using the computer name (assigned through the Computer Name tab of the System Properties dialog) would not work unless the server PC's Windows Firewall had the File and Printer Sharing Service port enabled.
So we had to make two changes: (1) setup an exception for the port we used for communication and (2) enable File and Printer Service in the Exceptions tab to allow for the host name lookup.
** EDIT **
You may also find this Microsoft Knowledge Base article on helpful on Windows XP networking.
And see this article on NETBIOS name resolution in Windows.