WinRM will not connect to remote computer in my Domain

powershell remote-access winrm
11,836

If you haven't configured your list of allowed network addresses/trusted hosts in Group Policy/Local Policy, that may be one reason.

Administrative Templates > Windows Components > Windows Remote Management > WinRM Service

Allow remote server management through WinRM

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.

If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.

To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).

If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.

The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.

You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.

For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.

Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.

Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562

WinRM Service Trusted Networks

Administrative Templates > Windows Components > Windows Remote Management > WinRM Client

Trusted Hosts

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in Trusted Hosts List to determine if the destination host is a trusted entity.

If you enable this policy setting, the WinRM client uses the list specified in Trusted Hosts List to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.

If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.

WinRM Client Trusted Hosts

Share:
11,836

Related videos on Youtube

josh
Author by

josh

Updated on September 18, 2022

Comments

  • josh
    josh over 1 year

    I am trying to run a script that installs a program remotely for a user in my domain. I can run the script fine on my own computer but when I run the script for a different computer in the domain I get the error of

    Connecting to remote server (computername) failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic

    I have configured winRM and the winRM GPO, I have turned off the firewall and yet I keep getting the same error. I feel that I have exhausted all options so would love some help.

    Things I have tried:

    • Checked if Firewall was blocking port
    • Configured winRM through a GPO on the domain, ipv4 and ipv6 are listening on *
    • Ran Enable-PSRemoting -Force and winrm /quickconfig on both computers
    • Ran winrm id -r:(mymachine) which works on mine but not on the computer I'm trying to remote to as I get the error:
    WSManFault
    Message = WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.

Error number:  -2144108250 0x80338126
WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
    • Running telnet (TargetMachine) 5985 fails with error Connecting To (ComputerName)...Could not open connection to the host, on port 5985: Connect failed
    • When I run 'winrm get winrm/config' and 'winrm get wmicimv2/Win32_Service?Name=WinRM' I get output of:
    Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = ()ComputerName)
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter = * [Source="GPO"]
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Win32_Service
    AcceptPause = false
    AcceptStop = true
    Caption = Windows Remote Management (WS-Management)
    CheckPoint = 0
    CreationClassName = Win32_Service
    DelayedAutoStart = null
    Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine.  The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract = false
    DisplayName = Windows Remote Management (WS-Management)
    ErrorControl = Normal
    ExitCode = 0
    InstallDate = null
    Name = WinRM
    PathName = C:\WINDOWS\System32\svchost.exe -k NetworkService -p
    ProcessId = 15760
    ServiceSpecificExitCode = 0
    ServiceType = Share Process
    Started = true
    StartMode = Auto
    StartName = NT AUTHORITY\NetworkService
    State = Running
    Status = OK
    SystemCreationClassName = Win32_ComputerSystem
    SystemName = (ComputerName)
    TagId = 0
    WaitHint = 0
    • I can also do things like create a folder on the target computer. But performing an install of a program on the target computer fails.

    I can't remember at the moment of every exact little thing I have tried but if you suggest something I can verify that I have tried it.

    I have followed many suggestions online which includes Remote PowerShell, WinRM Failures: WinRM cannot complete the operation

    but still.. nothing.

    • Citizen
      Citizen over 4 years
      Can you list some of the options that you have tried and the outcomes? Your more likely to get a response if you do rather than people randomly suggesting things like, have you tried running winrm /quickconfig on the machine? docs.microsoft.com/en-us/windows/win32/winrm/…
    • josh
      josh over 4 years
      @Citizen Okay I have updated my question. And yes I have
    • Greg Askew
      Greg Askew over 4 years
      You need to specify if you can connect to tcp/5985, that would validate network connectivity. You also need to specify if you can perform a remote ping: winrm id -r:machinename
    • josh
      josh over 4 years
      @GregAskew Okay I updated it, hopefully it helps. If need any other information just ask. I have been trying to figure this problem out for a long time
    • Greg Askew
      Greg Askew over 4 years
      Netstat isn't going to tell you if the port is open from a remote computer. You should telnet to port 5985 to the computer. If that doesn't work, network connectivity isn't working.
    • josh
      josh over 4 years
      @GregAskew When I run: telnet (Remote Host) 5985 It works. But when I run telnet (Target Host) 5985 it fails
    • josh
      josh about 4 years
      I have looked everywhere but also looked at this site serverfault.com/questions/666606/… and still my issue persists. It is bizarre
  • josh
    josh about 4 years
    Thanks for the detailed reply. Unfortunately I have already tried both things you suggested and it continues to fail.
  • Greg Askew
    Greg Askew about 4 years
    @josh: Oh wait. If you stated that tcp/5985 is not responding. Try on the target computer: winrm get winrm/config and winrm get wmicimv2/Win32_Service?Name=WinRM. Also ensure the firewall service is not stopped and check the Windows Remote Management event log for errors and warnings.
  • josh
    josh about 4 years
    I have updated my question to provide the results when I run those commands on the target computer. Also our Firewall is being managed through ESET. But I pause the firewall and run the same command and it still fails. The WinRM event log gives me the same error message that powershell gives me that I have stated at the beginning of my question
  • josh
    josh about 4 years
    And I can do things like make a folder on the target computer but I can't do things like install a program

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Automatically reconfigure WinRM HTTPS listener with new certificate?
Windows Remote Management Over Untrusted Domains
Kill a process on multiple remote machines
New-PSSession does not work locally
Check if a Registry Path Exists in Remote Machine
How to keep remote powershell command alive after session end?
Double hop access to copy files without CredSSP
% free ram of remote machines
Remote connect to a Windows via PowerShell in Linux
Allow PowerShell remote access only from one address