none
Server 2012 - Server Manager "WinRM Negotiate authentication error"

    Question

  • I have two VMs in a workgroup, server1 and server2. Server1 has a GUI and Server2 is a core install.

    I'm trying to manage server2 from server1.

    When I add server2 to Server Manager console on server1, I immediately get a "WinRM Negotiate authentication error". I've tried several tips from people posted on the web, but I can't figure out how to solve this and what it's complaining about.

    Suggestions?

    Thank you,
    Ed

    Wednesday, November 14, 2012 11:42 PM

Answers

    1. On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the workgroup server that you want to manage is in the same subnet as the computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup server’s network profile is set to Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup server’s network profile is not set to Private, on the workgroup server, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. securitySecurity Note
      Running the cmdlet in this step overrides User Account Control (UAC) measures that prevent elevated processes from running on workgroup computers unless the built-in Administrator or the System account is running the processes. The cmdlet lets members of the Administrators group manage the workgroup server without logging on as the built-in Administrator. Allowing additional users to manage the workgroup server can reduce its security; however, this is more secure than providing built-in Administrator account credentials to what might be multiple people who are managing the workgroup server.

      To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following cmdlet.

      New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
      
    4. On the computer on which you are running Server Manager, open the All Servers page.

    5. If the computer that is running Server Manager and the target workgroup server are in the same workgroup, skip to the last step. If the two computers are not in the same workgroup, right-click the target workgroup server in the Servers tile, and then click Manage as.

    6. Log on to the workgroup server by using the built-in Administrator account for the workgroup server.

    7. Verify that Server Manager is able to connect to and collect data from the workgroup server by refreshing the All Servers page, and then viewing the manageability status for the workgroup server.

    1. On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the server that you want to manage is in the same subnet as the workgroup computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup computer’s network profile is set to

      Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup computer’s network profile is not set to Private, on the workgroup computer that is running Server Manager, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. On the computer on which you are running Server Manager, open the All Servers page.

    4. Verify that Server Manager is able to connect to and collect data from the remote server by refreshing the All Servers page, and then viewing the manageability status for the remote server. If the Servers tile still displays a manageability error for the remote server, go on to the next step.

    5. Log off of the computer on which you are running Server Manager, and then log on again by using the built-in Administrator account. Repeat the preceding step, to verify that Server Manager is able to connect to and collect data from the remote server.

    If you have followed the procedures in this section, and you continue to have problems managing workgroup computers, or managing other computers from workgroup computers, see about_Remote_Troubleshooting on the Microsoft website.

    Refer to: Add Servers to Server Manager

    http://technet.microsoft.com/en-us/library/hh831453.aspx

    Friday, November 16, 2012 6:48 AM
    Moderator

All replies

    1. On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the workgroup server that you want to manage is in the same subnet as the computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup server’s network profile is set to Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup server’s network profile is not set to Private, on the workgroup server, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. securitySecurity Note
      Running the cmdlet in this step overrides User Account Control (UAC) measures that prevent elevated processes from running on workgroup computers unless the built-in Administrator or the System account is running the processes. The cmdlet lets members of the Administrators group manage the workgroup server without logging on as the built-in Administrator. Allowing additional users to manage the workgroup server can reduce its security; however, this is more secure than providing built-in Administrator account credentials to what might be multiple people who are managing the workgroup server.

      To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following cmdlet.

      New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
      
    4. On the computer on which you are running Server Manager, open the All Servers page.

    5. If the computer that is running Server Manager and the target workgroup server are in the same workgroup, skip to the last step. If the two computers are not in the same workgroup, right-click the target workgroup server in the Servers tile, and then click Manage as.

    6. Log on to the workgroup server by using the built-in Administrator account for the workgroup server.

    7. Verify that Server Manager is able to connect to and collect data from the workgroup server by refreshing the All Servers page, and then viewing the manageability status for the workgroup server.

    1. On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the server that you want to manage is in the same subnet as the workgroup computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup computer’s network profile is set to

      Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup computer’s network profile is not set to Private, on the workgroup computer that is running Server Manager, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. On the computer on which you are running Server Manager, open the All Servers page.

    4. Verify that Server Manager is able to connect to and collect data from the remote server by refreshing the All Servers page, and then viewing the manageability status for the remote server. If the Servers tile still displays a manageability error for the remote server, go on to the next step.

    5. Log off of the computer on which you are running Server Manager, and then log on again by using the built-in Administrator account. Repeat the preceding step, to verify that Server Manager is able to connect to and collect data from the remote server.

    If you have followed the procedures in this section, and you continue to have problems managing workgroup computers, or managing other computers from workgroup computers, see about_Remote_Troubleshooting on the Microsoft website.

    Refer to: Add Servers to Server Manager

    http://technet.microsoft.com/en-us/library/hh831453.aspx

    Friday, November 16, 2012 6:48 AM
    Moderator
  • I seem to be having difficulty with the same problem. Trying to setup a Windows 8 workstation to manage remotely a Hyper-V 2012 server.

    I have some level of remote control (powershell works, most MMC snap-ins work as well, VMM works). So in a way i'm able to manage the core server. My goal is to configure the disk i have in storage pool, and even though i was able to kind-of set it up and create virtual drives, i'm still struggling to make sense of the way storage spaces use the raw space on disks. I had a look to storage spaces in some virtual labs, and it's a bit more understandable when done through the GUI as opposed to Powershell.

    I tried to follow the above steps and many other tips i have found, but none resulted in a solution yet. 

    Based on this Technet article

    http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx

    it's suggesting that the server to be managed needs to be added to the list of TrustedHosts on the management computer, but that's been done already

    Is there anything else that would help me to resolve this problem?

    Thanx


    Monday, May 27, 2013 9:07 PM
  • Found this article and running the below command in powershell worked... not sure if it meets best practices or not.

    remilner.co.uk/managing-remote-workgroup-servers-with-server-manager/

    "
    You need to add the Server as a “Trusted” Host in the WSMAN file.  If you run the following powershell script:

    Set-Item wsman:\localhost\Client\TrustedHosts SERVERNAME -Concatenate -Force

    "

    • Proposed as answer by MattS13 Tuesday, September 17, 2013 2:15 PM
    Tuesday, September 17, 2013 2:15 PM
  • Did you ever solve this?  I went through all the same steps and was unable to resolve the issue.  Still cannot connect to the Server.
    Friday, August 29, 2014 12:11 AM
  • follow the steps outlined above, up to the point of 

    "..change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of.."

    You can enable those rules, but you don't need to change that.

    Along with adding the TrustedHosts with Set-Item, you need to add a value to CMDKEY with the account you'll be using to manage the remote server in the domain. ie:

    CMDKEY /add:<SERVERNETBIOSNAME> /user:<DOMAIN>\<ACCOUNT> /pass:<PASSWORD>
    

    Make certain that if there are any firewalls between your workgroup and the remote server domain, to permit communication between them.  Also make sure that on the workstation, you are able to resolve the NETBIOS name of the server using PING.  If not, you just need to ensure that the server has a "A" record in DNS with a PTR record.

    Then add the server in server manager via the DNS tab, use the NETBIOS name of the server, select the search icon and it should resolve to the IP address of the server.  Add to server manager.

    Now it should refresh without the WinRM errors.

    Saturday, November 01, 2014 4:48 PM
    1. On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the workgroup server that you want to manage is in the same subnet as the computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup server’s network profile is set to Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup server’s network profile is not set to Private, on the workgroup server, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. securitySecurity Note
      Running the cmdlet in this step overrides User Account Control (UAC) measures that prevent elevated processes from running on workgroup computers unless the built-in Administrator or the System account is running the processes. The cmdlet lets members of the Administrators group manage the workgroup server without logging on as the built-in Administrator. Allowing additional users to manage the workgroup server can reduce its security; however, this is more secure than providing built-in Administrator account credentials to what might be multiple people who are managing the workgroup server.

      To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following cmdlet.

      New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
      
    4. On the computer on which you are running Server Manager, open the All Servers page.

    5. If the computer that is running Server Manager and the target workgroup server are in the same workgroup, skip to the last step. If the two computers are not in the same workgroup, right-click the target workgroup server in the Servers tile, and then click Manage as.

    6. Log on to the workgroup server by using the built-in Administrator account for the workgroup server.

    7. Verify that Server Manager is able to connect to and collect data from the workgroup server by refreshing the All Servers page, and then viewing the manageability status for the workgroup server.

    1. On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following command.

      Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force
      
    2. Determine whether the server that you want to manage is in the same subnet as the workgroup computer on which you are running Server Manager.

      If the two computers are in the same subnet, or if the workgroup computer’s network profile is set to

      Private in the Network and Sharing Center, go on to the next step.

      If they are not in the same subnet, or if the workgroup computer’s network profile is not set to Private, on the workgroup computer that is running Server Manager, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

    3. On the computer on which you are running Server Manager, open the All Servers page.

    4. Verify that Server Manager is able to connect to and collect data from the remote server by refreshing the All Servers page, and then viewing the manageability status for the remote server. If the Servers tile still displays a manageability error for the remote server, go on to the next step.

    5. Log off of the computer on which you are running Server Manager, and then log on again by using the built-in Administrator account. Repeat the preceding step, to verify that Server Manager is able to connect to and collect data from the remote server.

    If you have followed the procedures in this section, and you continue to have problems managing workgroup computers, or managing other computers from workgroup computers, see about_Remote_Troubleshooting on the Microsoft website.

    Refer to: Add Servers to Server Manager

    http://technet.microsoft.com/en-us/library/hh831453.aspx

    Those Steps fixed everything!
    Monday, June 01, 2015 9:08 PM
  • Thank you! After trying various other sets of forum-post voodoo, setting TrustedHosts is what worked for me! Note that for me, let's say the server hostname is"Bob". However, that didn't work at first blush, but pinging "bob" resulted in it resolving back as "bob.lan". Once I added that, it worked!!

    --Seek Truth, and you will find Joy!

    Monday, November 23, 2015 6:13 AM
  • Bingo; that last part did it for me as well.  Finding the full host name by watching the reply from a ping gave me the correct name to set in Set-Item wsman: so thank you for spelling this out.  I'd been scratching my head for awhile already but this made it really easy to comprehend.
    Monday, April 03, 2017 6:50 AM