Unable to Use Server Manager Remotely
- I have a test network that includes 2 Windows 2008 R2 servers (one is Server Core) and a Windows 7 Ultimate workstation. I had been able to use Server Manager to remotely administer both of the servers from either Windows 7 or Windows 2008 R2. For some reason, I can no longer do this. I went back to this article http://technet.microsoft.com/en-us/library/dd759202.aspx#BKMK_gp and followed all of the instructions for a second time, but it didn't change a thing. To reduce the margine of error, I temporarily turned off the Windows Firewall as well. Looking at the Event Logs on the target machine, I see nothing in the System or Application logs, and only Success Audits for my attempts in the Security Logs. However, in the Windows Remote Management\Operational log on Windows 2008 R2 client, for each attempt there is an Error Event ID 219: "Received the response from Network Layer; status: 401 (HTTP_STATUS_DENIED). In the same log on Windows 7 client I get:
operationName CreateShell errorCode 2150858770
So it is a different error on each.
Now that I think of it, the only thing that has changed in between the time that this was working and now, is that several patches were installed a few days ago on all 3 machines, because it was a big Patch Tuesday. Is anyone else seeing this problem? I'm not sure what else to look for at this point.
Thanks.
Answers
Hi ChasBoston,
Thank you for your collect the information.
Based on the research on the logs, we found when you locate listeners and addresses on the problematic server Windows Server 2008 R2.
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null
The WinRm listener on server side is "ListeningOn = null", this seems the WinRM service on the server didn't listen on any IP interface on that machine. The normal status of the WinRM should be listened on an IP address so that Windows 7 client can remotely connect to it. The clue may be this one.
Please try to refer to the example to create a new instance of HTTP Listener on all IPs.
Example: Create instance of HTTP Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTP @{Host;CertificateThumbprint="XXXXXXXXXX"}
Note: XXXXXXXXXX represents a 40-digit hex string; see help config.
Meanwhile, for your reference, you can follow this TechNet blog to troubleshoot it further more.
WinRM (Windows Remote Management) Troubleshooting
Hope this can be helpful.
Best Regards,
David Shen
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer byMarco ShawMVP, ModeratorFriday, October 23, 2009 10:41 PM
- Marked As Answer byChasBoston Saturday, October 24, 2009 1:58 AM
All Replies
Hello ChasBoston,
From the error message [Error Event ID 219: "Received the response from Network Layer; status: 401 (HTTP_STATUS_DENIED)], it seems that there are some authentication issues.
Let's check the following:
1. Please confirm whether all these machines are in the same domain. If not, please follow the steps in the TechNet link to add the remote computer to the trusted hosts list on the source computer.
http://technet.microsoft.com/en-us/library/dd759202.aspx
2. As Server Manager depends on WinRM service, please verify WinRM works:
a. On source computer, please verify that Windows Remote Management (WS-Management) service is started and run the following command in an elevated window:
Winrm quickconfig
b. Please refer to the following link to use WinRS client to see whether you can remotely connect to the server properly?
http://blogs.technet.com/server_core/archive/2006/08/11/446122.aspx
3. Please test connect to a remote computer in Computer Management from the Windows 7 client. Does it work?
If WinRM does not work, please run the following command to collect WinRM configuration information on the Windows Server 2008 R2.
Winrm get winrm/config >c:\winrm.txt
You may send the log file to tfwst@microsoft.com
Best Regards,David Shen
This posting is provided "AS IS" with no warranties, and confers no rights.- Thanks for the quick response.
1. I forgot to mention that all of these machines are in the same Windows 2003 Native domain and I as using a domain admin account to manage the servers remotely.
2.a. The WinRM service is running (on server and client) and I had already run Winrm quickconfig.
2.b. This is a good suggestion that I haven't tried. I will do this when I get the chance and let you know the results.
3. I have no trouble at all connecting via Computer Management remotely to the 2008 R2 servers.
I'll get back to you soon. When I try winrs I also get a failure:
"Winrs error:The client cannot connect to the destination specified in the reques
t. Verify that the service on the destination is running and is accepting reques
ts. Consult the logs and documentation for the WS-Management service running on
the destination, most commonly IIS or WinRM. If the destination is the WinRM ser
vice, run the following command on the destination to analyze and configure the
WinRM service: "winrm quickconfig"."
Here is the output from winrm get winrm/config:
Config
MaxEnvelopeSizekb = 800
MaxTimeoutms = 600000
MaxBatchItems = 20
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-2614200118-3062520466-3199943593-1000)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 200
EnumerationTimeoutms = 600000
MaxConnections = 15
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5
Thanks for your help.Hi ChasBoston,
According to the output of the command "Winrm get winrm/config" , it seems that the RootSDDL is different from the default WinRM configuration settings.
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-2614200118-3062520466-3199943593-1000)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
You might have customized the permission setting on the target Windows Server 2008 R2. Is that right?
As a test, please grant Authenticated User the permission to use WinRM to test this issue again.
To do so, please perform the following steps:
1. Run the following command in an elevated window:
winrm configsddl default
2. When the Permissions for Default dialog box prompted, please add Authenticated User and grant it Full Control permission in the permission dialog; and remove any denied permissions.
3. Reboot the server and test to see if this problem can be fixed.
If this problem continues, please collect the following command for further research:
1. Please collect the event log "Applications and Services Logs\Microsoft\Windows\Windows Remote Management\Operational" on both source and administration machines. Please Save All Events as… a .evtx file.
2. Run the following command to collect the listener information:
winrm enum winrm/config/listener
3. Please collect a network monitor trace on both computers when reproducing the issue by establishing a WinRM connection.
Download: Microsoft Network Monitor 3.3
a. Enable the Capture Filter "IPv4.Address == <ip of the client>" and start capture.
b. Restart one of clients to reproduce the issue.
c. Stop capture and save to *.cap file.
How to use Network Monitor to capture network traffic
http://support.microsoft.com/kb/812953
You can send the cap file to us via tfwst@microsoft.com
Best Regards,
David Shen
This posting is provided "AS IS" with no warranties, and confers no rights.- Thanks. Setting the default permissions to allow authenticated users did not make any difference.
I sent the collected data you requested around 02:30 GMT on 10-22-09. Let me know if it gives you any clues.
Cheers. Hi ChasBoston,
Thank you for your collect the information.
Based on the research on the logs, we found when you locate listeners and addresses on the problematic server Windows Server 2008 R2.
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null
The WinRm listener on server side is "ListeningOn = null", this seems the WinRM service on the server didn't listen on any IP interface on that machine. The normal status of the WinRM should be listened on an IP address so that Windows 7 client can remotely connect to it. The clue may be this one.
Please try to refer to the example to create a new instance of HTTP Listener on all IPs.
Example: Create instance of HTTP Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTP @{Host;CertificateThumbprint="XXXXXXXXXX"}
Note: XXXXXXXXXX represents a 40-digit hex string; see help config.
Meanwhile, for your reference, you can follow this TechNet blog to troubleshoot it further more.
WinRM (Windows Remote Management) Troubleshooting
Hope this can be helpful.
Best Regards,
David Shen
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer byMarco ShawMVP, ModeratorFriday, October 23, 2009 10:41 PM
- Marked As Answer byChasBoston Saturday, October 24, 2009 1:58 AM
That was it.
As you could see from the output in the enum listener command, there is a GPO affecting this. When I created the setting in the GPO, I left both IPv6 Filter and IPv4 Filter fields blank, which tells it not to listen on any addresses. After I put an (*) in the IPv4 Field, then ran gpupdate, netstat -a showed that it was now listening on port 5985 and I could connect remotely.
Thanks much.Hi ChasBoston,
I am glad to hear that you have resolved the issue.
If you have any other question about Windows Server system, please welcome to our TechNet forum.
Best Regards,
David Shen
This posting is provided "AS IS" with no warranties, and confers no rights.Hi there :) I came here and crave for help about remote management with Server Manager from Windows 7 domain joined workstation to standalone Windows 2008 R2 core standard server - which is in workgroup. I am already did whole bunch of mumbo jumbo config's so I can connect to server from Windows 7 with Computer Management or with Hyper-V manager (using HVRemote config scripts) because server have Hyper-V role installed but I can not connect anyway with Server Manager. Here are WinRM config results from server and client and just for notice I already entered servername as trusted host in client and account with which I am logged in client is domain admin account and have same name and password as local administrator account onto server.
from server:winrm get winrm/config
ig
MaxEnvelopeSizekb = 150
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5from client:
C:\Windows\system32>winrm get winrm/config
Config
MaxEnvelopeSizekb = 150
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = krut
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5
Just few more observations for the end of this long post :( when I run from client not elevated cmd promt I've get response:
WSManFault
Message = Access is denied.Error number: -2147024891 0x80070005
Access is denied.
For the end I'm thinking that such armoring from Microsoft to not have remote administration tools to work with just one or two config clicks for settings is really pain in the a.. :)
Thank's for any response or help and best regards.
