Fix for WinRM working *remotely* but not working *locally*

T

TracMac

This issue is the reverse of the normal scenario, where you can open a local PSSession, but you can't connect remotely. In this instance, connecting remotely is fine, but a local PSSession fails.

Also, the computer cannot connect a client PSSession to remote (working) hosts. The remote host returns "Access Denied". Errors 161 and 142 (WSMan operation CreateShell failed, error code 2150859046) on the remote host WinRM event log. This is because the host is trying to return an auth token to the client, which is not accepted.

Hopefully this will help other people to avoid spending literally hours on something that is trivial.

Symptoms

On the affected machine, trying to enter a PSSession to itself has the following results

New-PSSession $hostname ## FAILS
New-PSSession $FQDN ## FAILS
New-PSSession localhost ## SUCCESS

On a remote machine, a new PSSession to the affected machine using the hostname, FQDN and IP are all fine.

Running Test-WSMan shows the following results:

test-wsman -computername badcomputer

test-wsman -computername badcomputer.example.net

test-wsman -computername 10.230.0.13
test-wsman : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046"
Machine="badcomputer.example.net"><f:Message>WinRM cannot complete the operation. Verify that the specified computer
name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service
is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits
access to remote computers within the same local subnet. </f:Message></f:WSManFault>

Running the above tests on a remote machine shows the expected results

Test-wsman -computername badcomputer.example.net

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.


Environment

  • Domain-joined machine with ports 5985 and 5986 open to "any".
  • Network interface is using Domain profile.
  • Netstat shows that 5985 is listening and isn't bound to any particular IP (including the loopback interface)

C:>netstat -ano | find "5985"
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
  • "winrm get winrm/config" on the affected machine and a working computer shows exactly the same settings on both.
  • "Enable-PsRemoting -force" makes no difference in terms of resetting the WinRM configuration

Continue reading...
 
Top Bottom