Join Log in
Score:1
Abid avatar Server

Enter-PSSession: receiving access denied on non domain remote server

pl flag
Abid

I am struggling to open a remote PS session on a remote server (Windows Server 2022 Standard). The remote server is not part of a domain.

When running the command

Enter-PSSession -ComputerName server01 -Credential server01\administrator

I receive "Access is denied".

What I have done:

  • server
    • Enable-PSRemoting
    • Enable-WSManCredSSP -Role server
  • client
    • Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value "`n192.168.1.250`tserver01"
    • winrm quickconfig
    • Set-Item WSMan:\localhost\Client\TrustedHosts -Value server01

When executing on client

Enter-PSSession -ComputerName server01 -Credential server01\administrator

and entering the password I receive:

Enter-PSSession : Beim Verbinden mit dem Remoteserver "server01" ist folgender Fehler aufgetreten: Zugriff verweigert Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting". In Zeile:1 Zeichen:1 + Enter-PSSession -ComputerName server01 -Credential server01\administrator + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (server01:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

When executing on the client

winrm identify -r:http://server01:5985 -u:server01\Administrator -p:secret

I receive

WSManFault Message = Zugriff verweigert

Fehlernummer: -2147024891 0x80070005 Zugriff verweigert

What am I missing?

UPDATE:

In winrm config I set Auth/Basic and AllowUnencrypted to true (both client and service) - same result. I then configured HTTPS access with a self signed certificate - same result.

As there is no entry in Microsoft-Windows-Windows Remote Management/Operational on server side it looks like the request is blocked on client side. Test-NetConnection -ComputerName server01 -Port 5985 succeeds (as it does with port 5986).

3143
3 + 0
Score:1
Manu avatar Server
us flag
Manu

Because you are using non domain useres my first guess would be that UAC might be blocking you.

I'd say this error is raised by the client so first try with disabled UAC on the client. If this does not work disbale UAC on the server.

If it is not UAC related I could imagine that this local admin account needs to be member of the Remote Management Users group on the server.

At least that's what I'd try next.

+ 1
Abid avatar
pl flag
Abid
Unfortunately neither disabling UAC nor adding user to `Remote Management Users` group did help.
0
Reply
Score:1
avatar Server
cn flag
Greg Askew

You need to include the output of winrm get winrm/config on the server. Using Basic authentication over HTTP sends the credentials over the network and to the host unencrypted, so it is usually disabled by default for the Service.

Also check the Windows Remote Management event log (Microsoft-Windows-Windows Remote Management/Operational).

winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false        **
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647
+ 3
Abid avatar
pl flag
Abid
Changing winrm config did not help unfortunately. Please see the question's update.
0
Reply
cn flag
Greg Askew
@Abid: `As there is no entry in Microsoft-Windows-Windows Remote Management/Operational on server side it looks like the request is blocked on client side.` This should be easily confirmed. You need to run a packet capture on the server to confirm if there is a connection, and if so what is in it. There should also be a second packet capture running concurrently on the client to perform a correlation. If the client isn't sending anything that simplifies things.
1
Reply
Abid avatar
pl flag
Abid
I ran a packet capture on client side where I noticed that the server *did respond* with a `401 Unauthorized`. So there was something wrong with the authentication. This leaded me to the solution. Thanks @Greg Askew!
0
Reply
Score:0
Abid avatar Server
pl flag
Abid

I found the solution. I simply had to add -Authentication Basic to the Enter-PSSession command.

Full command:

Enter-PSSession -ComputerName server01 -Authentication Basic -Credential administrator

When using winrm identify I had to add -auth:basic:

winrm identify -r:http://server01:5985 -a:basic -u:Administrator -p:secret

It was that simple ...

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.