WinRM will not connect to remote computer in my Domain
If you haven't configured your list of allowed network addresses/trusted hosts in Group Policy/Local Policy, that may be one reason.
Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Allow remote server management through WinRM
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Trusted Hosts
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in Trusted Hosts List to determine if the destination host is a trusted entity.
If you enable this policy setting, the WinRM client uses the list specified in Trusted Hosts List to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.
If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
Related videos on Youtube
josh
Updated on September 18, 2022Comments
-
josh over 1 year
I am trying to run a script that installs a program remotely for a user in my domain. I can run the script fine on my own computer but when I run the script for a different computer in the domain I get the error of
Connecting to remote server (computername) failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic
I have configured winRM and the winRM GPO, I have turned off the firewall and yet I keep getting the same error. I feel that I have exhausted all options so would love some help.
Things I have tried:
- Checked if Firewall was blocking port
- Configured winRM through a GPO on the domain, ipv4 and ipv6 are listening on *
- Ran Enable-PSRemoting -Force and winrm /quickconfig on both computers
- Ran winrm id -r:(mymachine) which works on mine but not on the computer I'm trying to remote to as I get the error:
WSManFault Message = WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. Error number: -2144108250 0x80338126 WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
- Running telnet (TargetMachine) 5985 fails with error Connecting To (ComputerName)...Could not open connection to the host, on port 5985: Connect failed
- When I run 'winrm get winrm/config' and 'winrm get wmicimv2/Win32_Service?Name=WinRM' I get output of:
Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 60000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts = ()ComputerName) Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = false Auth Basic = false Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * [Source="GPO"] IPv6Filter = * [Source="GPO"] EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true [Source="GPO"] Winrs AllowRemoteShellAccess = true IdleTimeout = 7200000 MaxConcurrentUsers = 2147483647 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 2147483647 MaxMemoryPerShellMB = 2147483647 MaxShellsPerUser = 2147483647 Win32_Service AcceptPause = false AcceptStop = true Caption = Windows Remote Management (WS-Management) CheckPoint = 0 CreationClassName = Win32_Service DelayedAutoStart = null Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix. DesktopInteract = false DisplayName = Windows Remote Management (WS-Management) ErrorControl = Normal ExitCode = 0 InstallDate = null Name = WinRM PathName = C:\WINDOWS\System32\svchost.exe -k NetworkService -p ProcessId = 15760 ServiceSpecificExitCode = 0 ServiceType = Share Process Started = true StartMode = Auto StartName = NT AUTHORITY\NetworkService State = Running Status = OK SystemCreationClassName = Win32_ComputerSystem SystemName = (ComputerName) TagId = 0 WaitHint = 0
- I can also do things like create a folder on the target computer. But performing an install of a program on the target computer fails.
I can't remember at the moment of every exact little thing I have tried but if you suggest something I can verify that I have tried it.
I have followed many suggestions online which includes Remote PowerShell, WinRM Failures: WinRM cannot complete the operation
but still.. nothing.
-
Citizen over 4 yearsCan you list some of the options that you have tried and the outcomes? Your more likely to get a response if you do rather than people randomly suggesting things like, have you tried running winrm /quickconfig on the machine? docs.microsoft.com/en-us/windows/win32/winrm/…
-
josh over 4 years@Citizen Okay I have updated my question. And yes I have
-
Greg Askew over 4 yearsYou need to specify if you can connect to tcp/5985, that would validate network connectivity. You also need to specify if you can perform a remote ping: winrm id -r:machinename
-
josh over 4 years@GregAskew Okay I updated it, hopefully it helps. If need any other information just ask. I have been trying to figure this problem out for a long time
-
Greg Askew over 4 yearsNetstat isn't going to tell you if the port is open from a remote computer. You should telnet to port 5985 to the computer. If that doesn't work, network connectivity isn't working.
-
josh over 4 years@GregAskew When I run: telnet (Remote Host) 5985 It works. But when I run telnet (Target Host) 5985 it fails
-
josh about 4 yearsI have looked everywhere but also looked at this site serverfault.com/questions/666606/… and still my issue persists. It is bizarre
-
josh about 4 yearsThanks for the detailed reply. Unfortunately I have already tried both things you suggested and it continues to fail.
-
Greg Askew about 4 years@josh: Oh wait. If you stated that tcp/5985 is not responding. Try on the target computer:
winrm get winrm/config
andwinrm get wmicimv2/Win32_Service?Name=WinRM
. Also ensure the firewall service is not stopped and check the Windows Remote Management event log for errors and warnings. -
josh about 4 yearsI have updated my question to provide the results when I run those commands on the target computer. Also our Firewall is being managed through ESET. But I pause the firewall and run the same command and it still fails. The WinRM event log gives me the same error message that powershell gives me that I have stated at the beginning of my question
-
josh about 4 yearsAnd I can do things like make a folder on the target computer but I can't do things like install a program