Tags

, , , , ,

WinRM is a really cool feature when scripting tasks and managing Windows servers remotely. I’ve been struggling to enable it on the domain controllers in our globally-distributed environment, following almost every guide I could find online but haven’t had any success until yesterday. So I thought about having it documented here in case someone else comes across similar problems in future.

Configuring the listeners

I’m going to use Kerberos authentication for WinRM so the configuration is quite simple. If you are planning to use a different type of authentication such as basic authentication or CredSSP then you’ll need a few additional steps which I won’t be discussing here.

The first step is to configure the WinRM listeners for IPv4 and IPv6. I’m going to allow the WinRM listeners to listen on all IP addresses of the domain controllers in this case. If you want to restrict it to listen only on certain IP addresses follow the instructions given with the settings. So I’m configuring the GPO setting Computer Configuration / Policies / Administrative Templates / Windows Components Windows Remote Management (WinRM) / WinRM Service to listen on all IP addresses as follows.

winrm-listeners

Configuring the Windows service

Now since we have the listeners configured we need the WinRM service get going for the configurations to take effect. Let’s make sure that this service is configured to run automatically using group policy. Of course you can do this manually on all the domain controllers if you feel like burning a few more calories. 😉

I’m adding a new service in the GPO setting Computer Configuration / Preferences / Control Panel Settings / Services for WinRM and setting the “Startup” to “Automatic (Delayed Start)” and “Service action” to “Start service”.

winrm-svc winrm-svc-1

Once the service is running you should be good to go. However if you have the firewall turned on then you need to make sure the necessary ports are allowed through it. I won’t cover the firewall configuration in here.

Exceptional Cases

“The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid.”

winrm-ps-http-error

I’m not completely sure of the exact reasons for this error but I’ll explain my experience with it. Our domain is one of those where the user accounts are member of a large number of Active Directory security groups. With systems that use Windows authentication (or Kerberos authentication) with HTTP we usually come across problems with authentication due to the large size of the Kerberos tokens. This error tries to explain this problem (in its own way I guess :-P). The solution however is to configure the HTTP service to process larger HTTP headers. We can do this by configuring the two registry keys MaxRequestBytes and MaxFieldLength for HTTP service parameters. Let’s do this via group policy as well so we have everything at a single place and applied consistently across all the domain controllers.

We will configure the registry settings under Computer Configurations / Preferences / Windows Settings / Registry as follows.

winrm-reg

winrm-reg-mflwinrm-reg-mrb

The following image shows the error given when trying to connect to a domain controller through WinRM before performing this configuration and the successful connection after applying the new settings.

winrm-ps-before-n-after


Sources:

Advertisements