question

Schoch-0646 avatar image
0 Votes"
Schoch-0646 asked GaryNebbett commented

WinRM error code 400

Hello

Since a short time I have the problem, that I can't connect to other computers in my network with WinRM, but only if I use the FQDN.
When I use only the computer name without the DNS suffix then it works.
The problem occurred on Windows 10 and also Windows Server 2019.

This is the error message if I use the FQDN:
Enter-PSSession: Processing data for a remote command failed with the following error message: The WinRM client received an HTTP bad request status (400), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic.

I have also a strange behavior if I open for example the Hyper-V Snap-In and try to connect to another computer with Hyper-V. Then I see this message:
The object contained a value in property "Started" that is not valid.

Does anyone have any idea what causes this strange behavior?
DNS resolution is working fine, without FQDN and with.

Thanks for help.



windows-server-powershellwindows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Schoch-0646 avatar image
0 Votes"
Schoch-0646 answered GaryNebbett commented

OK I used the following cmd on the target machine:
logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets

Then I tried to logon from the failing machine with the fqdn.

After that I stopped and converted the tracing on the target machine with this cmd:
logman.exe stop winrmtrace -ets
Tracerpt winrmtrace.etl

You can find the XML result in the attachment.

I see this error messages:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System>
<Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
<EventID>1048</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x2000000000000004</Keywords>
<TimeCreated SystemTime="2021-08-10T11:01:38.262198100+01:59" />
<Correlation ActivityID="{3df86985-7a56-0003-c46a-f83d567ad701}" />
<Execution ProcessID="1192" ThreadID="5184" ProcessorID="2" KernelTime="0" UserTime="0" />
<Channel>Microsoft-Windows-WinRM/Analytic</Channel>
<Computer />
</System>
<EventData>
<Data Name="httpStatus">400</Data>
<Data Name="errorCode"> 5</Data>
<Data Name="extraErrorInfo1">Failed to decrypt packet</Data>
<Data Name="extraErrorInfo2"></Data>
</EventData>
<RenderingInfo Culture="de-CH">
<Level>Error </Level>
<Keywords>
<Keyword>Server </Keyword>
</Keywords>
<Task>Response handling </Task>
<Message>Sending HTTP error back to the client due to a transport failure.
The HTTP status code is 400
The error code is 5 </Message>
<Channel>Microsoft-Windows-WinRM/Analytic </Channel>
<Provider>Microsoft-Windows-Windows Remote Management </Provider>
</RenderingInfo>
</Event>

But I don't see any useful information which can bring me a step further.121916-dumpfile.xml




Grüsse aus Zürich


dumpfile.xml (876.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Schoch-0646,

The XML format is not as easy to work with as the binary file, but the following event data certainly seems worth investigating further:

 <EventData>
 <Data Name="httpStatus">400</Data>
 <Data Name="errorCode"> 5</Data>
 <Data Name="extraErrorInfo1">Failed to decrypt packet</Data>
 <Data Name="extraErrorInfo2"/>
 </EventData>

Gary

0 Votes 0 ·

Hello @Schoch-0646,

I also just noticed that you traced Microsoft-Windows-WinRM rather than Microsoft-Windows-WebIO. Let's see what can be deduced from the information available...

Gary

0 Votes 0 ·

Hello @Schoch-0646,

Sorry for replying again with just "crumbs" of information, but if the problem is believed to occur on the client then trace on the client.

Gary

0 Votes 0 ·
Schoch-0646 avatar image
0 Votes"
Schoch-0646 answered

Hello

Now I ran the following on the failing machine, because on the target machine I got no logs when I ran the bellow cmds:
logman.exe start webiotrace -p Microsoft-Windows-WebIO -o webiotrace.etl -ets

Then I tried to open a remote PowerShell session again.

logman.exe stop webiotrace -ets
tracerpt -lr webiotrace.etl

One reason why I use XML is because I want to hide some sensitive internal data from the public.

In the logs I can see now bellow entry, but I have still no clue..:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System>
<Provider Name="Microsoft-Windows-WebIO" Guid="{50b3e73c-9370-461d-bb9f-26f32d68887d}" />
<EventID>101</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>400</Task>
<Opcode>0</Opcode>
<Keywords>0x8000020200000000</Keywords>
<TimeCreated SystemTime="2021-08-10T13:10:52.285497000+01:59" />
<Correlation ActivityID="{30000002-0005-fb00-a047-10eb4c13e025}" />
<Execution ProcessID="4940" ThreadID="2980" ProcessorID="2" KernelTime="90" UserTime="90" />
<Channel>Microsoft-Windows-WebIO/Diagnostic</Channel>
<Computer />
</System>
<EventData>
<Data Name="Request">0x1CEEB1047A0</Data>
<Data Name="Length">123</Data>
<Data Name="Headers">HTTP/1.1 400
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 10 Aug 2021 11:10:51 GMT
Connection: close
Content-Length: 0

</Data>
</EventData>
<RenderingInfo Culture="en-CH">
<Level>Information </Level>
<Opcode>Info </Opcode>
<Keywords>
<Keyword>RECEIVE </Keyword>
<Keyword>PII_PRESENT </Keyword>
</Keywords>
<Task>RequestHeader </Task>
<Message>0x1CEEB1047A0: Received Headers: HTTP/1.1 400
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 10 Aug 2021 11:10:51 GMT
Connection: close
Content-Length: 0

</Message>
<Channel>Microsoft-Windows-WebIO/Diagnostic</Channel>
</RenderingInfo>
</Event>

See also attachment, thanks.
121938-dumpfile.xml



dumpfile.xml (3.0 MiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Schoch-0646 avatar image
0 Votes"
Schoch-0646 answered GaryNebbett commented

Hello Gary

Yes exactly this was the problem, the Domain blabla.ch was not in the WinHTTP proxy exemption list, because of this the WinRM connection failed.

So in the end it was a typical IT side effect problem..


Thanks a lot Gary and greetings again to Basel, let me know if you are in Zurich by chance :)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Schoch-0646,

Will do :-)

The "Failed to decrypt packet" error was a useful hint. I think that the proxy server interfered with the Kerberos session key agreement.

Gary
,

0 Votes 0 ·