Access Denied WinRM Error Code 5
Ok after a lot of reading and research I seem to have found something that worked. Specifically the issue was with the Channel Access Token that was being used. The value of this token should be:
O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
This value should be set for Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Security. In our case I used that same value in the registry setting shown above.
The key with that is adding (A;;0x1;;;S-1-5-20)
to the end as opposed to (A;;0x1;;;NS)
Here are some helpful links I found/used to get this working:
- https://support.logbinder.com/SuperchargerKB/50119/3-Troubleshooting-a-Problem-Forwarder
- https://forum.logbinder.com/Topic136-2.aspx
- https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm
- https://github.com/ukncsc/lme
Hopefully this will help some other people as it was a pain for us.
Jack
I work in IT security and I am currently the security director of a company.
Updated on September 18, 2022Comments
-
Jack over 1 year
We are trying to set up Windows Event Forwarding (WEF) in our environment and we are running into a few issues. We have a GPO set up (shown below) to enable the forwarding of events to a local collection server and we have the connection server configured. The collector machine is showing as subscribed correctly but the other machine that we are testing on does not connect to the collection server.
On the source machine that cannot forward logs we see the following error under Application and Services Logs -> Microsoft -> Windows -> Eventlog ForwardingPlugin
The forwarder is having a problem communicating with subscription manager at address http://Collector.corp.company.com:5985/wsman/SubscriptionManager/WEC. Error code is 5 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="SourceMachine.corp.company.com"><f:Message>Access is denied. </f:Message></f:WSManFault>.
On the collector machine we see the following error under Application and Services Logs -> Microsoft -> Windows -> Windows Remote Managment -> Operational
The authorization of the user failed with error 5
More Detail on the collector server error:
Source: Windows Remote Managment Event ID: 192 Level: Information Task Category: User Authorization User: Network Service Keywords: Security,Server OpCode: Informational Computer: Collector.corp.company.com
-
Davidw almost 4 yearsAre the Firewalls configured to allow WinRM through?
-
Jack almost 4 yearsYes the GPO above handles the clients firewall and there is a firewall rule configured on the collector server to allow WinRM in, the firewall rule was copied from a known good server as well so I am fairly confident that is not the issue.
-
Davidw almost 4 yearsWhat's the status of the Powershell script execution policy?
-
Jack almost 4 yearsUndefined for everything except for local machine it is restricted
-
Davidw almost 4 yearsAccording to About_Execution_Policy, the effective policy is restricted under those settings. You might try setting it to Remote Signed or Bypass.
-