WinRM "Access Denied" Cross Domain

isd503

1/15/23, 8:18 PM

I have SERVER1 in DOMAINA and SERVER2 in DOMAINB. There is a firewall between the domains. SERVER1 is running Windows 2012 R2 and SERVER2 is running Windows 2016 Std. SERVER1 is a domain controller and SERVER2 is Windows Event Forwarding (WEF) collector. DOMAINA\SERVER3 is also a domain controller running Windows 2012 R2.

SERVER3 is using a certificate to send its Security event logs to the collector. This is working fine and has been for several months. I cannot get SERVER1 to send its logs to SERVER2. Here are the conditions and the problems:

test-netconnection SERVER2 -port 5986: this commands works from SERVER1 and SERVER3
test-netconnection SERVER1 -port 5986: this command works from SERVER2 to SERVER1 or SERVER3
NT AUTHORITY\Network Service has Read access to the certificates on SERVER1 and SERVER3
winrm get winrm/config -r:https://SERVER2.DOMAINB.com:5986 -a:certificate -certificate:"SERVER1THUMBPRINT": This command fails from SERVER1 with "Access Denied"
winrm get winrm/config -r:https://SERVER2.DOMAINB.com:5986 -a:certificate -certificate:"SERVER3THUMBPRINT": This command is successful from SERVER3 and returns the WinRM config of SERVER2
I have matched every condition I know to match between SERVER1 and SERVER3
I asked one of the firewall technicians to review logs and they cannot see any failures for the failing traffic

Our WEF environment uses certificates cross domain (DOMAINA) and Kerberos intra-domain (DOMAINB). We have configured a GPO for the WEF settings. We use a active directory security group for security filtering in the GPO. All this is working on other servers and ADCs in both domains. These are SOURCE initiated subscriptions.

What tests can I perform to help isolate this problem on SERVER1? SERVER2 event logs show the failure and so do logs on SERVER1:

SERVER1:

Microsoft-Windows-Eventlog-ForwardingPlugin/Operational
Event ID: 105
The forwarder is having a problem communicating with subscription manager at address https://SERVER2.DOMAINB.com:5986/wsman/SubscriptionManager/WEC. Error code is 2150858882 and Error Message is .
Microsoft-Windows-Windows Remote Management/Operational
Event ID: 164
The destination computer (SERVER2.DOMAINB.com) returned an 'access denied' error. Verify your credentials are correct.
Event ID: 142
WSMan operation Get failed, error code 5

SERVER2:

Microsoft-Windows-Windows Remote Management/Operational
Event ID: 192
The authorization of the user failed with error 5
User: NETWORK SERVICE

208

0 + 0

windows

certificate

domain

windows-event-log

winrm

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: WinRM "Access Denied" Cross Domain

TH: WinRM "การเข้าถึงถูกปฏิเสธ" ข้ามโดเมน

RO: WinRM „Acces refuzat” Cross Domain

RU: WinRM "Отказано в доступе" Междоменный

VI: Tên miền chéo "Truy cập bị từ chối" WinRM

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.