Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 3, 2016 3:23 AM
Hi all,
I'm just about stumped with WinRM up to this point. Whenever I try to install any feature with the Server Manager, it hangs on "Starting Installation". When I install the feature with PowerShell, it works fine, only when I open up Server Manager to configure the feature after the installation I get a "failed to open the runspace pool" error. Configuring it via PowerShell works fine. Then, when I tried to configure DirectAccess with its Quick Start wizard, it gives me a "could not connect to the destination specified in the request" error.
Running "winrm quickconfig" produces this:
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
Then, in Event Viewer, I get this error when I try to do anything with Server Manager/configuring DirectAccess:
WSMan operation CreateShell failed, error code 2150858770
And it dosen't give me any information except that. This is the output of winrm get winrm/config:
PS C:\Windows\System32\WindowsPowerShell\v1.0> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = fs.towerdevs.xyz
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint = 80 aa c1 69 11 9d 87 b8 d8 7a 20 b8 ff 76 d2 3ddb dc 7b 7f
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true [Source="GPO"]
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
And winrm enumerate winrm/config/listener:
PS C:\Windows\System32\WindowsPowerShell\v1.0> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 169.254.164.229, 169.254.224.69, 192.168.1.109, ::1, fe80::5efe:169.254.164.229%17, fe80::5
efe:169.254.224.69%18, fe80::d13:6e93:f4dd:e045%12, fe80::84a1:52c5:715:a4e5%15, fe80::fdb7:1050:858e:9139%14
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = fs.towerdevs.xyz
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 80 aa c1 69 11 9d 87 b8 d8 7a 20 b8 ff 76 d2 3ddb dc 7b 7f
ListeningOn = 127.0.0.1, 169.254.164.229, 169.254.224.69, 192.168.1.109, ::1, fe80::5efe:169.254.164.229%17, fe80::5
efe:169.254.224.69%18, fe80::d13:6e93:f4dd:e045%12, fe80::84a1:52c5:715:a4e5%15, fe80::fdb7:1050:858e:9139%14
The server runs these roles/features:
Roles:
AD CS (Certification Authority)
AD DS (Domain Controller)
DNS Server
File and Storages Server (File Server & Storage Services)
Hyper-V
Remote Access (DirectAccess and VPN)
Web Server (IIS)
Windows Deployment Services
Features:
.NET Framework 3.5
.NET Framework 4.5
Bitlocker and Network Unlock
Enhanced Storage
Group Policy Management
Ink & Handwriting Services
Media Foundation
qWave
CMAK
RSAT
User Interfaces and Infrastructure
Windows Internal Database
Windows PowerShell
WPAS
Wireless LAN Service
Wow64 Support
And yes, I have tried resetting the WinRM config and rebooting several times. If anyone could help, it would be much appreciated!
All replies (9)
Tuesday, May 17, 2016 5:09 AM âś…Answered
Hi CitadelCore,
I found the problem may be caused by the port is blocked by firewall after searching a lot.
Since you turn off the firewall and the problem persists. I suggest you use Network monitor to troubleshoot the problem.
For more information about Network Monitor, you could refer to the article below.
Network Monitor
https://technet.microsoft.com/en-us/library/cc938655.aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, May 3, 2016 8:06 AM
Hi,
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
>>>The problem may be caused by the certificate name do not match what was expected.
For more information, you could refer to the similar thread below.
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, May 3, 2016 9:30 AM
Checked out the thread, however found little or no information on how to actually resolve the problem. How would I change the certificate name? I'm running AD CS as a certification authority as I explained in the OP.
Saturday, May 7, 2016 12:43 AM
Looked around some more, however I have no idea how to resolve the problem based on the information you provided... I can't issue a new certificate and there seems to be no way to reset WinRM completely and generate a new one. ???
Monday, May 9, 2016 11:02 AM
Hi,
WinRM HTTPS requires a local computer "Server Authentication" certificate with a CN matching the hostname, that is not expired, revoked, or self-signed to be installed.
To install or view certificates for the local computer:
- click Start, run, MMC, "File" menu, "Add or Remove Snap-ins" select "Certificates" and click "Add". Go through the wizard selecting "Computer account".
To install or view the certificates under:
Certificates (Local computer)
Personal
Certificates
If you do not have a Sever Authenticating certificate consult your certicate administrator. If you have a microsoft Certificate server you may be abel to request a certificate using the web certificate template from HTTPS://<MyDomainCertificateServer>/certsrv
For more information, you could refer to the article below.
Configuring WINRM for HTTPS
https://support.microsoft.com/en-us/kb/2019527
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, May 9, 2016 10:31 PM
I already did this, created the certificate and configured the certificate to match my hostname in WinRM.
I also ran /sfc scannow, verified the WMI repository (which was consistant), and checked if there was a GPO blocking it. None of these things fixed the problem.
I honestly don't know what the problem is any more (and that certificate error RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD is still there.)
Thursday, May 12, 2016 9:08 AM
Hi CitadelCore,
If so, I suggest you try to turn off firewall temporary.
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, May 12, 2016 8:08 PM
Switched it off for all networks, no change in the error.
Wednesday, July 13, 2016 7:17 AM
I had the same error on Windows Server 2008R2.
The reason was simple. I installed PowerShell 4.0 (Windows Management Framework 4.0). I think, new version PS broke something in WinRM.
I solved this problem with HotFix from Microsoft (https://support.microsoft.com/en-us/kb/2749615)
Maybe it will save time for you.