question

Uriel-3067 avatar image
0 Votes"
Uriel-3067 asked Ig132435 commented

WinRM Certificate Authentication Problem on Some 2012 & 2016 Windows Servers

Hello Everyone,

We have a requirement to manage some Windows servers through WinRM from Linux servers so we configured WinRM to have an HTTPS listener (with a self-signed certificate) listening on the default port 5986 on all intended Windows servers (2008, 2012 & 2016). We also configured the servers to have a local admin account for authentication.

If we test by using basic authentication everything works correctly and we're able to manage most of the servers, anyway, the requirement is to use certificates for client authentication instead of basic one so we disabled basic and enabled certificate, and also configured all the Windows servers as follows:

  1. Created an openssl self-signed certificate with extendedKeyUsage = clientAuth.

  2. Imported the certificate into the Trusted Root and Trusted People cert stores of LocalMachine for every server.

  3. Mapped the local admin account to the certificate imported.

    Then we tested in two different environments that we have; in the development environment it is working fine on 2008 and 2016 servers, but in the test environment it only worked on 2008 server, on 2012 and 2016 it's giving an authentication error.

    We validated and confirmed that they had the same configuration than the other servers and even re-configured everything from scratch but nothing works.

    If we try to connect from Windows using the Enter-PSSession command, we get the error:


Enter-PSSession : Connecting to remote server <host> failed with the following error message : The WinRM client cannot process the request. The destination computer
(<host>:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client
computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate ClientCerts For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession @sessionParams
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (<host>:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed



If we try to connect from Linux using Python and PyWinRM, we get the following error:


shell_id = p.open_shell()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server



Has anyone faced this problem before? Do any of you know how this may be resolved?

Thank you in advance.

The following is the current WinRM configuration:


WinRM Listener



Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = <hostname>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 9FE3A0FA1F265F23F6BA68A1C493BD8C23C6E717
ListeningOn = <ip_address>, 127.0.0.1, ::1, fe80::5efe:10.251.56.180%6, fe80::7987:7b5f:cc8b:b456%4


WinRM Service



Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter =
IPv6Filter =

EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true

windows-serverwindows-server-2016windows-server-2012windows-server-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Uriel-3067 avatar image
0 Votes"
Uriel-3067 answered Ig132435 commented

Thank God I finally found an article with a solution that worked for me. I want to share it in case someone else is experiencing the same problem:

https://stackoverflow.com/a/67422353/16110314

The solution is basically to add a DWord registry key named "ClientAuthTrustMode" with a value of 2 to the path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL".

I hope this helps.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, that worked for me.

0 Votes 0 ·
JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered Uriel-3067 edited

Hi,
1.Did you check the permission of users for remoting that has proper authorizations on the remote machine?

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell
Link: https://devblogs.microsoft.com/scripting/configure-remote-security-settings-for-windows-powershell/

2.For some commands, it is required to input FQDN of the remote sever, otherwise the certificate will be invalid.

3.Here is a similar thread for your reference:
Enter-PSSession fails to connect, Access is denied
https://social.technet.microsoft.com/Forums/en-US/60a759c7-d2e5-448f-b6b1-f716d13bf33c/enterpssession-fails-to-connect-access-is-denied?forum=winserverpowershell


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JennyYan-MSFT

Thanks for your comments.

  1. Yes, I did it. The user is a local admin account, but just in case, I ran the command, validated that the local Administrators group has full control permissions, and (even if it's not needed), added the user to the "Remote Management Users" group.

0 Votes 0 ·

Sorry @JennyYan-MSFT, for some reason I could not post the entire response in the same comment (even if it's less than 1000 characters), so I'm breaking it into different ones:

2- I've tried with IP address, hostname, and FQDN but all of them fail with the same access denied error.

WinRM was set up with a self-signed certificate so I'm including the options to skip the certificate checks as follows:

SessionOption = (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)

If I don't add this, I get a different cert error.

3- I reviewed the suggested article. In our case, we are trying with a client certificate, but when we try with basic authentication, curiously, it works fine from Linux (the user and pwd are correct), but from PowerShell, it fails with the same error.

Please let me know if you have any other suggestions to try.
Thanks again.

0 Votes 0 ·
RAPINQuentin-6951 avatar image
0 Votes"
RAPINQuentin-6951 answered Uriel-3067 commented

Hey @Uriel-3067 , have you finally found an answer to your question ? I'm experiencing the same problem right now.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RAPINQuentin-6951.

Unfortunately no, our Windows team opened a support case with Microsoft and they were not able to find the root cause.

The only clue that we have is that the servers that are failing are hosted in AWS, but when we started testing on physical servers on the local network, thank God they worked fine :)

I'm sorry I cannot be of more help.

Kind regards.


0 Votes 0 ·

@RAPINQuentin-6951,

FYI, Thank God I found the solution posted. I'm not sure if you still need it but if so, I hope it works for you.

Kind regards.

0 Votes 0 ·