I am troubleshooting an issue I have with a PRTG sensor not collecting Windows Update information from one of our servers. It is using WinRM and a remote PowerShell command to do that.
Server 1 - Issue Server
Server 2 - Working Server
When I try to use Enter-PSSession -ComputerName Server1 or winrs -r:Server1 dir to test the connection I keep getting the following errors:
PS C:\WINDOWS\system32> winrs -r:Server1 dir
Winrs error:WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
If I run the command on any of our other servers the connection is successful, this is the only one giving me trouble.
If I run the command Enter-PSSession with the -Credential switch with my user account I get the same error, but if I run the command and specify the local administrator account of the server it will connect. Other servers work fine.
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -Credential Server1\administrator
[Server1]: PS C:\Users\Administrator\Documents> exit
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server1 -credential domain\myuser
Enter-PSSession : Connecting to remote server Server1 failed with the following error message : WinRM cannot process the request. The
following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName Server1 -credential alpenaw2k.local\kemp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Server1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
PS C:\WINDOWS\system32> Enter-PSSession -ComputerName Server2
[Server2]: PS C:\Users\user\Documents> exit
PS C:\WINDOWS\system32>
If I run New-PSSession from the local server I will get the same error, unless I specify the -EnableNetworkAccess switch and then it will connect. This confuses me. Event viewer gives me Event ID 161 related to user authentication and error 142 for the session failing to create.
If I run Test-WSMan from the local server and a remote host it shows it running.
Here is the WinRM config and the listener config:
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = 10.10.10.142
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.87, 127.0.0.1, ::1, fe80::4579:db85:c9cb:ead0%6
Other things I have tried:
- I have no GPO settings in place for WinRM.
- I have deleted and recreated the listener.
- I have reset the config of WinRM several times.
- Windows Advanced Firewall is disabled for Public, Private, and Domain
networks.
- I have checked the
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI permissions and the
privileges seem okay.
- I have used IP addresses instead of hostnames with the same
results.
- I have added my computer to the trusted host list and it does not
work. This shouldn't be necessary though as the both the computers
are on the same domain.
- Ran
Enable-PSRemoting -Force (Although this should be unnecessary
as WinRM is enabled by default for Server 2012 and forward).
- I have added my user to the Local Administrators and Remote
Management Users on the server with no luck.
- I have adjusted the registry of
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 and this does not
work regardless of its value.
- I have rebooted and ran an
sfc /scannow as a last ditch effort.
Specs of the server, workstation, and my user:
- My domain account is a Domain Administrator.
- Server is Windows Server 2019 Standard.
- Workstation is Windows 10 Pro.
- PowerShell Version 5 for both.
- Both computers are on the same domain.
- Both computers are up to date.
I could use the local administrator account to poll this information and fix my intimidate problem, but that doesn't fix the underlying issue.
From the remote server there are no error entries in the Windows Remote Management Log, but on my computer I have these:
Error Event ID - 142
WSMan operation Enumeration failed, error code 2150858909
Error Event ID - 49
The WinRM protocol operation failed due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config..
Error Event ID - 161
WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
I can RDP into the server just fine, that's how I have been doing some of the local tests.
I tested these two commands:
gwmi win32_operatingsystem -ComputerName Server1 executes normally with no issue, that's specifying the remote server and RDPing to running locally.
Get-CimInstance win32_operatingsystem -ComputerName Server1 I cannot run from my workstation, but If I RDP into the sever and run it, it will execute normally.
The output of SetSPN -X returns no overlapping SPN's
The output of SetSPN -L returns:
Registered ServicePrincipalNames for CN=Server1,OU=Servers,OU=Organization,DC=Organization,DC=LOCAL:
TERMSRV/Server1.DOMAIN.LOCAL
WSMAN/Server1.DOMAIN.LOCAL
RestrictedKrbHost/Server1.DOMAIN.LOCAL
HOST/Server1.DOMAIN.LOCAL
TERMSRV/Server1
WSMAN/Server1
RestrictedKrbHost/Server1
HOST/Server1
Any and all suggestions are greatly appreciated.
