locked
powershell winrm https access denied RRS feed

  • Question

  • trying to connect to exchange. in the two commands below, using the same user account, http works, but https gives me "access denied."

     enter-pssession -ConfigurationName Microsoft.Exchange `
            -ConnectionUri http://mailserver/PowerShell/ `
            -Authentication Kerberos

     enter-pssession -ConfigurationName Microsoft.Exchange `
            -ConnectionUri https://mailserver/PowerShell/ `
            -Authentication Kerberos


    on the target server:

    C:\Windows\system32>winrm quickconfig -transport:https
    WinRM already is set up to receive requests on this machine.
    WinRM already is set up for remote management on this machine.

    why would one user get "access denied" for https when he can log in with http?

    Thursday, May 12, 2016 9:18 PM

Answers

All replies

  • There is some missing information that could be useful, such as if you are using WinRM2.0.  If so, WinRM's HTTPS listener listens on port 5986, and will not listen on port 443 unless the EnableCompatibilityHttpsListener setting is set to True.  Although, the same would be true for the HTTP listener as well, but with port 5985 instead of 80.  The other thing that comes to mind is check your firewall settings for those ports.  Quickconfig should create an opening in the ICF for those ports, but if you use a third party firewall those exceptions may not be there.

    If you need additional information about the default settings set in WinRM you can check here:

    https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

    Thursday, May 12, 2016 10:46 PM
  • You must configure HTTPS specifically: https://support.microsoft.com/en-us/kb/2019527


    \_(ツ)_/

    Thursday, May 12, 2016 10:51 PM
  • That's already been done. From my original post:

    "

    on the target server:

    C:\Windows\system32>winrm quickconfig -transport:https
    WinRM already is set up to receive requests on this machine.
    WinRM already is set up for remote management on this machine.

    "

    Friday, May 13, 2016 12:23 AM
  • The target is a windows 2008 r2 server. This was actually all working fine on 443 until recently. I believe it broke when we changed the exchange servers certificate. I realized it was broken because some system center Orchestrator stuff that calls exchange shell commands (over https 443) started throwing SSL errors. The "access denied" errors are coming ffrom manual powershell testing, but I would assume that if the wrong tcp port were the culprit, I wouldn't be getting far enough to receive an "access denied" error. (and again, Port 80 works fine) 

    Friday, May 13, 2016 12:28 AM
  • That's already been done. From my original post:

    "

    on the target server:

    C:\Windows\system32>winrm quickconfig -transport:https
    WinRM already is set up to receive requests on this machine.
    WinRM already is set up for remote management on this machine.

    "

    Did you install a certificate when you configured the server.  Check the certificate.  It has to be a primary cert and canot be self-signed.  You will not have a good machine cert without having an on-premice CA or a commercial cert.


    \_(ツ)_/


    • Edited by jrv Friday, May 13, 2016 12:31 AM
    Friday, May 13, 2016 12:31 AM
  • The target is a windows 2008 r2 server. This was actually all working fine on 443 until recently. I believe it broke when we changed the exchange servers certificate. I realized it was broken because some system center Orchestrator stuff that calls exchange shell commands (over https 443) started throwing SSL errors. The "access denied" errors are coming ffrom manual powershell testing, but I would assume that if the wrong tcp port were the culprit, I wouldn't be getting far enough to receive an "access denied" error. (and again, Port 80 works fine) 

    Upgrading PowerShell without correct Exchange Updates can cause this.  Exchange 2010 uses 443 and requires PS V2.  WMF 3 and later use 5586 and not 443.  You can configure legacy support for 443 or upgrade Exchange.

    Post in Exchange forum for your Exch version.  They will step you through the issues.


    \_(ツ)_/


    • Edited by jrv Friday, May 13, 2016 12:35 AM
    Friday, May 13, 2016 12:33 AM