locked
Server Manager Breaks with only WinRM SSL Configured RRS feed

  • Question

  • We are just beginning to deploy 2012 R2 to our domain. We have winrm https configured on all of our 2008 R2 servers(we don't manage these through server manager yet). On 2012 servers we delete the HTTP listener and configure the HTTPs listener, however in server manager we get 'online verify winrm 3.0 service is installed running and required firewall ports are open winrm ssl'

    If I enable http listener, this goes away and we can manage using server manager.

    If i go through powershell with just HTTPS configured, I can enter-pssession with the -usessl flag.

    Is this a bug in server manager that it can't handle ssl? Is there a way to configure it?

    Wednesday, August 3, 2016 2:32 PM

Answers

  • Hi,

    According to this article below, the setting AllowUnencrypted is false by default, which doesn’t allow the client computer to request unencrypted traffic.

    Installation and Configuration for Windows Remote Management

    https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Monday, August 22, 2016 2:28 PM
    • Marked as answer by Amy Wang_ Monday, August 29, 2016 2:41 AM
    Friday, August 12, 2016 9:36 AM

All replies

  • Hi,

    What you are seeing is a behavior by design, as

    "Server Manager relies on default WinRM listener settings on the remote servers that you want to manage. If the default authentication mechanism or the WinRM listener port number on a remote server has been changed from default settings, Server Manager cannot communicate with the remote server."

    Quoted from this article below:

    Configure Remote Management in Server Manager
    https://technet.microsoft.com/en-us/library/hh921475(v=ws.11).aspx

    Best Regards,
    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Thursday, August 4, 2016 10:52 AM
    Thursday, August 4, 2016 10:48 AM
  • Thanks for that Amy,

    So to clarify, there is no way to securely use server manager? 

    Friday, August 5, 2016 5:04 PM
  • Hi,

    It would still be secure, only requires following default WinRM listener settings:

    • The WinRM service is running.
    • A WinRM listener is created to accept HTTP requests through port number 5985.
    • Port number 5985 is enabled in Windows Firewall settings to allow requests through WinRM.
    • Both Kerberos and Negotiate authentication types are enabled.

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 8, 2016 2:34 AM
    • A WinRM listener is created to accept HTTP requests through port number 5985.

    So it's transmitted insecurely then. It doesn't seem like it is secure to me. This is a flaw in 2012 R2.

    Monday, August 8, 2016 11:50 AM
  • Hi,

    According to this article below, the setting AllowUnencrypted is false by default, which doesn’t allow the client computer to request unencrypted traffic.

    Installation and Configuration for Windows Remote Management

    https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Monday, August 22, 2016 2:28 PM
    • Marked as answer by Amy Wang_ Monday, August 29, 2016 2:41 AM
    Friday, August 12, 2016 9:36 AM
  • Hi,

    Is further assistance required at the moment?

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 25, 2016 11:58 AM