WinRM (HTTPS) destination computer returned an 'access denied' error
I just enabled WinRM service in my Windows 10 machine (Home edition - no group policy) for HTTPS. I first created a self signing test certificate through powershell and started a WinRM listener (port 5986, which is allowed in Firewall).
I wanted to test it in the same machine if I can start an interactive session through the following commands (with administrative rights):
$so = New-PsSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$sess = New-PSSession -ComputerName 127.0.0.1 -UseSSL -SessionOption $so -CertificateThumbprint "14FEDEADE9785547C4C0EC986D42D0EF795BBA0C"
Enter-PSSession -Session $sess
However I get the following error:
WinRM client cannot process the request. The destination computer (127.0.0.1:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Basic Negotiate ClientCerts For more information, see the about_Remote_Troubleshooting Help
topic.
I also tried the Ruby library for Windows Remote Management using the private key and certificate extracted from the .pfx file (on another computer in the network), but I get a WinRM::WinRMAuthorizationError.
Here is the winrm get winrm/config output:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = false
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
[Edit]: I just tried from another Windows 10 computer, this time the error is different:
New-PSSession : [192.168.0.29] Connecting to remote server 192.168.0.29 failed with the following error message : The server certificate
on the destination computer (192.168.0.29:5986) has the following errors:
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.
Which is really weird because the certificate is valid until 2020 (so that the error message is not true).
windows-10 powershell certificate winrm
asked Feb 8 at 1:43
bashbinbashbin
12
add a comment |
I just enabled WinRM service in my Windows 10 machine (Home edition - no group policy) for HTTPS. I first created a self signing test certificate through powershell and started a WinRM listener (port 5986, which is allowed in Firewall).
I wanted to test it in the same machine if I can start an interactive session through the following commands (with administrative rights):
$so = New-PsSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$sess = New-PSSession -ComputerName 127.0.0.1 -UseSSL -SessionOption $so -CertificateThumbprint "14FEDEADE9785547C4C0EC986D42D0EF795BBA0C"
Enter-PSSession -Session $sess
However I get the following error:
WinRM client cannot process the request. The destination computer (127.0.0.1:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Basic Negotiate ClientCerts For more information, see the about_Remote_Troubleshooting Help
topic.
I also tried the Ruby library for Windows Remote Management using the private key and certificate extracted from the .pfx file (on another computer in the network), but I get a WinRM::WinRMAuthorizationError.
Here is the winrm get winrm/config output:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = false
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
[Edit]: I just tried from another Windows 10 computer, this time the error is different:
New-PSSession : [192.168.0.29] Connecting to remote server 192.168.0.29 failed with the following error message : The server certificate
on the destination computer (192.168.0.29:5986) has the following errors:
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.
Which is really weird because the certificate is valid until 2020 (so that the error message is not true).
windows-10 powershell certificate winrm
asked Feb 8 at 1:43
bashbinbashbin
12
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45
add a comment |
I just enabled WinRM service in my Windows 10 machine (Home edition - no group policy) for HTTPS. I first created a self signing test certificate through powershell and started a WinRM listener (port 5986, which is allowed in Firewall).
I wanted to test it in the same machine if I can start an interactive session through the following commands (with administrative rights):
$so = New-PsSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$sess = New-PSSession -ComputerName 127.0.0.1 -UseSSL -SessionOption $so -CertificateThumbprint "14FEDEADE9785547C4C0EC986D42D0EF795BBA0C"
Enter-PSSession -Session $sess
However I get the following error:
WinRM client cannot process the request. The destination computer (127.0.0.1:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Basic Negotiate ClientCerts For more information, see the about_Remote_Troubleshooting Help
topic.
I also tried the Ruby library for Windows Remote Management using the private key and certificate extracted from the .pfx file (on another computer in the network), but I get a WinRM::WinRMAuthorizationError.
Here is the winrm get winrm/config output:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = false
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
[Edit]: I just tried from another Windows 10 computer, this time the error is different:
New-PSSession : [192.168.0.29] Connecting to remote server 192.168.0.29 failed with the following error message : The server certificate
on the destination computer (192.168.0.29:5986) has the following errors:
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.
Which is really weird because the certificate is valid until 2020 (so that the error message is not true).
windows-10 powershell certificate winrm
asked Feb 8 at 1:43
bashbinbashbin
12
I just enabled WinRM service in my Windows 10 machine (Home edition - no group policy) for HTTPS. I first created a self signing test certificate through powershell and started a WinRM listener (port 5986, which is allowed in Firewall).
I wanted to test it in the same machine if I can start an interactive session through the following commands (with administrative rights):
$so = New-PsSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$sess = New-PSSession -ComputerName 127.0.0.1 -UseSSL -SessionOption $so -CertificateThumbprint "14FEDEADE9785547C4C0EC986D42D0EF795BBA0C"
Enter-PSSession -Session $sess
However I get the following error:
WinRM client cannot process the request. The destination computer (127.0.0.1:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Basic Negotiate ClientCerts For more information, see the about_Remote_Troubleshooting Help
topic.
I also tried the Ruby library for Windows Remote Management using the private key and certificate extracted from the .pfx file (on another computer in the network), but I get a WinRM::WinRMAuthorizationError.
Here is the winrm get winrm/config output:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = false
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
[Edit]: I just tried from another Windows 10 computer, this time the error is different:
New-PSSession : [192.168.0.29] Connecting to remote server 192.168.0.29 failed with the following error message : The server certificate
on the destination computer (192.168.0.29:5986) has the following errors:
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.
Which is really weird because the certificate is valid until 2020 (so that the error message is not true).
windows-10 powershell certificate winrm
windows-10 powershell certificate winrm
asked Feb 8 at 1:43
bashbinbashbin
12
asked Feb 8 at 1:43
bashbinbashbin
12
edited Feb 8 at 13:53
bashbin
asked Feb 8 at 1:43
bashbinbashbin
12
asked Feb 8 at 1:43
bashbinbashbin
12
asked Feb 8 at 1:43
bashbinbashbin
12
12
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45
add a comment |
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403366%2fwinrm-https-destination-computer-returned-an-access-denied-error%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403366%2fwinrm-https-destination-computer-returned-an-access-denied-error%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Btw WinRM works fine for HTTP (port 5985) with given account credentials.
– bashbin
Feb 8 at 1:45