I'm trying to resolve an issue we are facing.
we are able to communicate to Exchange Server EMS Script from remote machine through winRM HTTP authentication.
$newSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://test.domain.com/PowerShell/ -Authentication Kerberos -Credential $Credentials
Import-PSSession $newSession
But we have to impose WinRM HTTPS, so I have set everything required for that including certificate creation , winRM settings etc.
And we are able to connect to remote machine where exchange server is available:
Enter-PSSession -ComputerName test.domain.com -Credential $credentials -UseSSL
and this works.
Now when I'm using -UseSSL in New-PSSession/Enter-PSSession for EMS, its not working:
$newSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://test.domain.com/PowerShell/ -Credential $Credentials -UseSSL
Error: New-PSSession : Parameter set cannot be resolved using the
specified named parameters.
Please note: I need WinRM (powershell) Connectivity through HTTPS: -UseSSL Authentication. Not with Kerberos/Defaut/CredSSP
You need to look at parameter sets in the documentation https://technet.microsoft.com/en-us/library/hh849717.aspx eg when you using URI eg
Parameter Set: Uri
New-PSSession [-ConnectionUri] [-AllowRedirection] [-Authentication {Default | Basic | Negotiate | NegotiateWithImplicitCredential | Credssp | Digest | Kerberos} ] [-CertificateThumbprint ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-Name ] [-SessionOption ] [-ThrottleLimit ] [ ]
What you should be doing is specify the https prefix instead of using the -useSSL switch which will ensure that connection is over https ("https://test.domain.com/PowerShell/);. The -useSSL is meant to be used when you using the -ComputerName parameter.
Related
Seeing error credssp: Bad HTTP response returned from server. Code 502
Ansible is installed on Linux machine & I am trying to establish connection to Windows client machine
Have set below variables as per : https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html
ansible_user: <uname>
ansible_password: <pass>
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp
Running playbook is resulting in below error. Could you give any pointers to check this further to get resolution on it?.
fatal: [<hostname>]: UNREACHABLE! => {"changed": false, "msg": "credssp: Bad HTTP response returned from server. Code 502", "unreachable": true}
Adding details on client setup, which looks ok, following along : https://docs.ansible.com/ansible/latest/os_guide/windows_setup.html#winrm-listener
PS C:\Windows\system32> (Get-Service "WinRM").Status
Running
Below indicates : HTTP: Enabled
PS C:\Temp\Ansible> .\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Disabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
Exec policy set to Unrestricted as well.
PS C:\Temp\Ansible> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Unrestricted
Powershell version looks ok : 5.x :
PSVersion 5.1.19041.1682
And quick check on http link per below is working on windows client as well. Issue I am seeing only from Linux machine from which I am trying to connect/run playbook.
winrs -r:http://<hostname>:5985/wsman -u:<user> -p:<pass> ipconfig
I assume upon the chosen authentication method
ansible_winrm_transport: credssp
and the missing info about the CredSSP on the Windows side in the question and the 502 error, that this might be caused, because CredSSP ist not enabled.
As stated in the Ansible WinRM Module Documentation, if the selected authentication method is CredSSP, it needs to be enabled:
CredSSP authentication is not enabled by default on a Windows host,
but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
According to the WSMAN Documentation the state of the CredSSP can be checked with:
Get-WSManCredSSP
Possible results:
If the computer is configured for CredSSP, this is the output:
The machine is configured to allow delegating fresh credentials to the
following target(s): wsman/server02.accounting.fabrikam.com
If the computer is not configured for CredSSP, this is the output:
The machine is not configured to allow delegating fresh credentials.
first make sure that the user you are trying to connect with has admin rights on the remote computer.
If the user does, maybe it's a problem with the proxy.
I once had a similar problem and simply running this command on the remote server fixed it:
netsh winhttp reset proxy
you can read more about netsh here:
WINHTTP - netsh
Hope that helps, good luck !
I'm trying to use invoke-command from a Windows 2019 server (server A) to another Windows server (server B). I know WinRM is configured on server B because I am able to successfully use invoke-command from my workstation to server B. However when I try the same exact command with the same credentials from server A to server B it fails with the below error message. It fails so quickly that it seems like it's not even trying to reach out over the network.
Things I have tried so far:
Set trusted hosts on both servers using winrm s winrm/config/client #{TrustedHosts="*"}
Did a packet trace on our router to ensure packets on 5985 were allowed
Disabled the firewall on server A
Ran "winrm quickconfig" on both servers
The command I'm using to test is invoke-command -computername "server B" {1}.
I'm able to successfully ping server B from server A.
Any thoughts on what could possibly be causing this?
I've been breaking my head over this error. When I try to start a new CIMSession, it says it cannot find the computer. Ive verified that both computers are on the same network and that they both can talk to each other. I can ping both PCs from each other and i can access the shared folders as well. I can ping using both IP and NetBIOS name. I have added both PCs to the trusted hosts on Group Policy and have allowed it on the firewall. What am i missing or what am i doing wrong?
PS C:\Windows\system32> $session=New-CimSession -ComputerName DESKTOP-FJMTUOQ
New-CimSession : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a
firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to
remote computers within the same local subnet.
At line:1 char:10
+ $session=New-CimSession -ComputerName DESKTOP-FJMTUOQ
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (:) [New-CimSession], CimException
+ FullyQualifiedErrorId : HRESULT 0x80338126,Microsoft.Management.Infrastructure.CimCmdlets.NewCimSessionCommand
+ PSComputerName : DESKTOP-FJMTUOQ
Error
EDIT
When running Test-NetConnection -ComputerName DESKTOP-FJMTUOQ -CommonTCPPort WINRM, I get the following results
PS C:\Windows\system32> Test-NetConnection -ComputerName DESKTOP-FJMTUOQ -CommonTCPPort WINRM
WARNING: TCP connect to DESKTOP-FJMTUOQ:5985 failed
ComputerName : DESKTOP-FJMTUOQ
RemoteAddress : 10.0.2.15
RemotePort : 5985
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.254
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False
EDIT - Same test but backwards (from DESKTOP-FJMTUOQ to WIN-R9HLL0ILD3)
PS C:\Users\freyes.FRANK> Test-NetConnection -ComputerName WIN-R9HLL0ILD37 -CommonTCPPort WINRM ComputerName : WIN-R9HLL0ILD37
RemoteAddress : 10.0.2.254
RemotePort : 5985
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.15
TcpTestSucceeded : True
I am using Ansible (2.9.6) to connect Windows server using WinRM CredSSP. for win ping command its giving server did not response with CredSSP token. CredSSP enabled on the clinet machine
ansible windows -i hosts -m win_ping
| UNREACHABLE! => {
"changed": false,
"msg": "credssp: Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual 'Negotiate, Kerberos, CredSSP'",
"unreachable": true
}
Any help to resolve this error message?
Thanks
I was getting the below error
msg: 'credssp: Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual '''''
after updating pywinrm to 0.4.2 the issue was resolved
I'm using PSRP to a Windows 2012R2 server and I have the same issue on a win_copy task, but win_ping works. That didn't make any sense, then I disabled the Antivirus (McAfee) and the issue is gone.
On the Windows server set the Credssp to true. Open powershell as administrator and paste the below commands:
winrm set winrm/config/service/auth '#{CredSSP="true"}'
winrm set winrm/config/client/auth '#{CredSSP="true"}'
Enable-WSManCredSSP -Role Server
Then you will be able to get:
SUCCESS => {
"changed": false,
"ping": "pong"
for the ansible windows -i hosts -m win_ping command.
I have to start and stop the sites after they are automatically updated. For now this requires me to Remote Desktop Connection to the server and start and stop them manually. I would like to be able to connect to the server through the command prompt and start and stop specific sites. I believe AppCmd can start and stop sites easily, but how should I connect to the server?
According to your description, I suggest you could use powershell WinRM to achieve your requirement.
You could use WinRM to remote access the server, the you could run the powershell command to manage the IIS application.
You should firstly enable the WinRM to allow remote management in the server side by using below powershell command:
#Get the winrm service status
Get-Service WinRM
#Allow remote access
Enable-PSRemoting –Force
#Quick config the winrm
winrm quickconfig
#Add all clients to trustedhosts
Set-Item wsman:\localhost\client\trustedhosts *
Restart-Service WinRM
In the client server, you could run below command:
#Connect to remote server
Enter-PSSession -ComputerName {yourremoteserver ip address or computer name} -Credential {accont name}
If you succeess, you will see the powershell window as below:
Then you could use below command to stop or start the application pool:
import-module WebAdministration
Stop-WebAppPool -Name 'DefaultAppPool'
or
import-module WebAdministration
Start-WebAppPool -Name 'DefaultAppPool'