Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 11, 2014 1:49 AM
When I try to create a subscription on a GUI server I receive this error:
"The client could not start a valid listener to receive subscription events based on the specified input settings."
When I use WECUTIL on Server Core, I get the following error:
"The subscription is saved successfully, but it can't be activated at this time. Use retry-subscription command to retry the subscription. If subscription is running, you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8. The subscription fails to activate."
I have 1 WinRM GPO configured for the domain:
Windows Components/Windows Remote Management (WinRM)/WinRM Services
This is the config file I am using to create the subscription:
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>applocker exe and dll</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Custom</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>30000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="3600000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[<QueryList><Query Id="0"><Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select></Query></QueryList>]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>Microsoft-Windows-AppLocker/EXE and DLL</LogFile>
<PublisherName></PublisherName>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>
I also have a GPO set to identify the subscription manager:
Windows Components/Event Forwarding Configure Target Subscription Manager set to enabled with the following entry:
server=<server FQDN>:5985
Output of C:\WINDOWS\system32>winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;
;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = "*" [Source="GPO"]
IPv6Filter = "*" [Source="GPO"]
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
And output of C:\WINDOWS\system32>winrm e winrm/config/listener
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null
Any ideas why this isn't working? I thought this was a pretty simple service to set up?
All replies (3)
Thursday, June 12, 2014 9:54 AM
Hi Michael Haken,
Based on your description, please refer to the following thread and check if can help you.
Event Log forwarding (source initiated) GPO configuration qstns
Regarding to error 0x3ae8, this error may be caused by the WinRM Firewall exception rule being disabled.
If anything I misunderstand or any update, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu
Friday, June 20, 2014 2:47 AM
Hi Michael,
Sorry for my delay.
Would you please let me know current situation of this issue? Any update?
Best regards,
Justin Gu
Friday, June 20, 2014 1:49 PM
Justin, sorry I didn't respond earlier. In this environment, windows firewall is disabled for all profiles.
I have tried numerous settings in relation to WinRM, I've disabled the GPO enabling WinRM on the collector systems (as I've seen some sites recommend) and just run winrm qc. However, no combination of WinRM settings that I've tried so far have changed the outcome. I'm testing this on both a Windows 8.1 machine and a Server 2012 R2 non-gui VM. I receive the same results on both (though one is a WECUTIL error output, and the other is the GUI message that the subscription could not be activated).