I have been struggling to deal with winrm and TrustedHosts but to no avail. After some experimenting I found out the this field of winrm/config/client is limited up to 1023 symbols which is way not enough especially if adding hosts by their ipv6.
I quote from Installation and Configuration for Windows Remote Management: A trusted hosts list should be set up when mutual authentication cannot be established.
Also in the same file the text says: Other computers in a workgroup or computers in a different domain should be added to this list. So I thought that this implies that as long as two computers are in the same domain, I should be able to access one of them from the other using winrm.
I tried to add two computers to a test domain and the executed:
winrm get winrm/config/client -r:192.168.100.1 -u:user -p:pass
From one of them to the other, but this failed with the error:
WSManFault
Message = The WinRM client cannot process the request. If the authentication
scheme is different from Kerberos, or if the client computer is not joined to a
domain, then HTTPS transport must be used or the destination machine must be ad
ded to the TrustedHosts configuration setting. Use winrm.cmd to configure Truste
dHosts. You can get more information about that by running the following command
: winrm help config.
Error number: -2144108316 0x803380E4
The WinRM client cannot process the request. If the authentication scheme is dif
ferent from Kerberos, or if the client computer is not joined to a domain, then
HTTPS transport must be used or the destination machine must be added to the Tru
stedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. You ca
n get more information about that by running the following command: winrm help c
onfig.
After adding 192.168.100.1 to TrustedHosts the query above succeeds. So my question is: is it possible to use winrm between two hosts without modifying TrustedHosts? Setting Trusted hosts to * is not an option for me.
If both machines are on the same domain, you should be able to use the ComputerName instead of the IP address. When you use the IP address you're pretty much forced to use TrustedHosts from what I've seen.
Related
the Terminal just says:
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection timed out
Here are the firewall rules.
I can't ssh into the VM so I cant change the firewall rules on the VM
Please Help.
First, double-check your IP address: it must match your Oracle Virtual Cloud Public IP Address, assuming it is a reserved one (meaning it is a fixed one)
Second, check your local firewall: you cannot change the remote ones, but the local rules might still block your SSH traffic.
As mentioned here:
ust by opening the port through firewall and security lists will not allow new incoming connections. Ex: unless there is a service listening on port 443 (Tomcat etc), you will be unable to connect. Same with SSH daemon for port 22.
So make sure the SSH daemon is up and running.
Check also Default Security List
Unlike other security lists, the default security list comes with an initial set of stateful rules, which should in most cases be changed to only allow inbound traffic from authorized subnets relevant to the region that homes that VCN or subnet.
A list of authorized subnet ranges relevant to each region can be found here .
In particular:
Stateful ingress: Allow TCP traffic on destination port 22 (SSH) from authorized source IP addresses and any source port.
This rule makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately use SSH to connect to that instance without needing to write any security list rules yourself.
You can mount your machine drive to some other machine, edit sshd config and mount it back.
That helped me :D
See this ref: https://blogs.oracle.com/cloud-infrastructure/post/recovering-opc-user-ssh-key-on-oracle-cloud-infrastructure
I have been struggling to find a solution for the following errors when I configure Forwarding Windows Events to a collector using source initiated http (I followed most blogs on configuration). The error is:
ErrorCode 2150859195
ErrorMessage The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config.
So far, I have tried to add the collector IP to the client's TrustedHosts and vice versa; add NetworkService account to the Event Log Readers group.
I felt lucky to figure it out and wanted to share here to help others. At least, after I made the following change on the source computers, I worked well now.
use FQDN not the IP address of the collector. I do not know why
enable WinRM listeners policy, set both IPv4 and IPv6 value to *
I want to have a SSH connection from my local windows machine or VM on my computer to Azure windows server VM. I tried Cygwin and Putty but both of them gave timeout connection. I used public ip address and opened port 22 on Azure VM.
I will appreciate if some one can give me any hints or links.
There are multiple firewalls that can be the reason here. Fist you must have a rule on the server to allow incoming SSH requests (port 22). Then you need to configure the NSG(Network security group) to allow incoming on port 22. If it still doesn't work, you need to verify that you are allowed to do an outgoing SSH request from your computer.
Thanks for suggestions, I found the problem which was the host machine IP address(ipconfig) (where is a local VM inside domain) was different from the IP address that communicate outside the domain to internet. I was set in NSG of Azure VM to only accept this IP and because of that it gave time-out error. After changing the IP it works.
I am attempting to Bind my Mac to a University AD server through an SSH tunnel. I have successfully created the tunnel and can access the directory by ldapsearch using the address localhost:389
The problem is that I wish to bind the computer through either the Directory Utility or dsconfigad but I get an error:
dsconfigad: Authentication server could not be contacted. (5200)
Could it be because I need to port forward more ports than just 389? or would it be a limitation put in place by the Directory Admins?
Active Directory is far more than LDAP - at the very least you'd need Kerberos, but it also tightly integrates with DNS (both SRV and A records), which'd require significant trickiness to fake over an SSL connection.
Realistically, I think you're going to need (at least) a full VPN connection to do this.
I developed a client/server simulation application. I deployed client and server on two different Windows XP machines. Somehow, the client is not able to send requests to the server.
I tried below options:
Pinged server machine successfully from client using ip-address.
Pinged client machine successfully from server using ip-address.
Checked netstat command line tool from both machines. Server is in LISTENING mode and client is in SYS_SENT mode. But the foreign address it is using to send is host name not the ip address.
Pinged server machine unsuccessfully using host name from client.
Pinged client machine successfully using host name from server.
I feel the problem is when the client is trying to connect to the server using the host name.
Could you please let me know how to force an application to use an ip address instead of a host name? Is there any other way to map the host name to an ip address?
Go to your client machine and type in:
nslookup server.company.com
substituting the real host name of your server for server.company.com, of course.
That should tell you which DNS server your client is using (if any) and what it thinks the problem is with the name.
To force an application to use an IP address, generally you just configure it to use the IP address instead of a host name. If the host name is hard-coded, or the application insists on using a host name in preference to an IP address (as one of your other comments seems to indicate), then you're probably out of luck there.
However, you can change the way that most machine resolve the host names, such as with /etc/resolv.conf and /etc/hosts on UNIXy systems and a local hosts file on Windows-y systems.
Try tracert to resolve the hostname. IE you have Ip address 8.8.8.8 so you would use; tracert 8.8.8.8
You could use a C function getaddrinfo() to get the numerical address - both ipv4 and ipv6.
See the example code here
This is hard to answer without more detail about the network architecture. Some things to investigate are:
Is it possible that client and/or server is behind a NAT device, a firewall, or similar?
Is any of the IP addresses involved a "local" address, like 192.168.x.y or 10.x.y.z?
What are the host names, are they "real" DNS:able names or something more local and/or Windows-specific?
How does the client look up the server? There must be a place in code or config data that holds the host name, simply try using the IP there instead if you want to avoid the lookup.
Windows XP has the Windows Firewall which can interfere with network traffic if not configured properly. You can turn off the Windows Firewall, if you have administrator privileges, by accessing the Windows Firewall applet through the Control Panel. If your application works with the Windows Firewall turned off then the problem is probably due to the settings of the firewall.
We have an application which runs on multiple PCs communicating using UDP/IP and we have been doing experiments so that the application can run on a PC with a user who does not have administrator privileges. In order for our application to communicate between multiple PCs we have had to use an administrator account to modify the Windows Firewall settings.
In our application, one PC is designated as the server and the others are clients in a server/client group and there may be several groups on the same subnet.
The first change was to use the functionality of the Exceptions tab of the Windows Firewall applet to create an exception for the port that we use for communication.
We are using host name lookup so that the clients can locate their assigned server by using the computer name which is composed of a mnemonic prefix with a dash followed by an assigned terminal number (for instance SERVER100-1). This allows several servers with their assigned clients to coexist on the same subnet. The client uses its prefix to generate the computer name for the assigned server and to then use host name lookup to discover the IP address of the assigned server.
What we found is that the host name lookup using the computer name (assigned through the Computer Name tab of the System Properties dialog) would not work unless the server PC's Windows Firewall had the File and Printer Sharing Service port enabled.
So we had to make two changes: (1) setup an exception for the port we used for communication and (2) enable File and Printer Service in the Exceptions tab to allow for the host name lookup.
** EDIT **
You may also find this Microsoft Knowledge Base article on helpful on Windows XP networking.
And see this article on NETBIOS name resolution in Windows.