Why do I get Access Denied when using WinRM?

windows-server-2003 windows-server-2008 winrm

10,585

try installing the latest version of winrm from here on the 2003 box. The ports (by default) should be 5985 for http and 5986 for https. Also note that winrm quickconfig is not available on 2003.

Winrm will run commands based on the user currently accessing the machine. Once you have te 2.0 version installed run from the 2k3 box:

test-wsman -computername web1928 -authentication default

This output should tell you if it can connect properly. If you want to test other credentials use

$cred = get-credential
test-wsman -computername web1928 -authentication default -credential $cred

10,585

Kev

###Actively looking for freelance work ###About Me: I'm a professional software developer and have spent my time building provisioning and web based self-service systems for IIS, Apache and Citrix XenServer, amongst other things. My Curriculum Vitae can be viewed on Stack Overflow Careers (might be a bit out of date). Stuff I like to listen to at last.fm You can get in touch here: kevin.e.kenny #@# gmail.com (you know what to do with the # and spaces). No Survey Emails Please. Also not ashamed to admit I like trains, mostly diesels, late Era 8 (BR Sectorisation) and Era 9 onwards :) I'm also interested in signalling if anyone from Network Rail is looking this far down ;)

Updated on September 17, 2022

Comments

Kev over 1 year
Following on from this question:

Why does my PowerShell script hang when called in PSEXEC via a batch (.cmd) file?

I took the advice from Jim B and installed WinRM. To recap I have two servers:
- HMon01 - runs Windows 2003 Standard SP2
- Web1928 - runs Windows 2008 Standard SP2 (not R2)
Both servers are standalone.

I installed WinRM for Windows 2003 from here and configured WinRM as follows on both machines:
```
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
    DefaultPorts
        HTTP = 80
        HTTPS = 443
    TrustedHosts = *
```
The problem I have is that if I remotely execute commands using the remote machine's built in Administrator account then all is well.

However I have an account on the remote machine named remoteexec which is a member of the Administrators group (we disable our Administrator accounts). If I use this account then I get Access Denied errors. I've done all the usual things such as checking passwords and the like.

Why would this be?
- tony roth about 14 years
  
  so if you run winrm quickconfig on both servers what result do you get? also run this as administrator!
- tony roth about 14 years
  
  yes thats correct, do this as a test create an account on the monitoring server called remoteexec with the same password as the account on the web server. Do not pass a password with the powershell command if the account is good then pass thru authentication should work.
- Kev about 14 years
  
  I'm running this from CMD.EXE. I now have two identical accounts on each server (both with the same password and both members of Administrators). If I leave the password out I get prompted for one. If I enter it or leave blank I still get Access Denied. I also tried leaving out the credentials all together, still no joy.
- tony roth about 14 years
  
  on the monitoring server can you do the following logged in as remoteexec dir \\Web1928\c$
Kev about 14 years

Hi Jim...do I need to install PowerShell 2.0 on the Windows 2003 box or can I still use the command line? Does the Windows 2008 box need upgrading (it's not R2)?
Kev about 14 years

Jim, thanks for that. I upgraded both machines and it's all magically started working, even from our HostMonitor software.