15

I'm testing WinRM connection using Command Prompt on my local and remote machine and my question is devided into two parts.

PART I

I tested TCP/IP connectivity by using ping command to ping : IP Address of local computer and remote computer, default gateway and DNS Server and it runs perfectly on both local and remote computer.

But when testing using WinRM commands, I used this command to locate listeners and addresses

winrm e winrm/config/listener

It gives me this output for my local machine

Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn =<IP Address>,127.0.0.1, ::1,fe80::100:7f:fffe%13,fe80::803:5e43:50ef:c50%11

But the same command when I run on remote machine gives me an output with everything else the same, except

Listener[Source="GPO"]
.
.
.
ListeningOn=null

I want to configure it to make it listen correctly.

PART II

And when I run these commands one by one on my remote machine

winrm id -r:<machine name>
winrm get winrm/config -r:<machine name>
winrm get wmicimv2/Win32_Service?Name = WinRM -r:<machine name>

It gives a WSMan Fault with an error message as : 

The client cannot connect to the destination specified in the request. Verify
that the service on the destination is running and is accepting requests.Consult
the logs and documentation for WS-Management service running on the destination,
most commonly IIs or WinRM. If the destination is the WinRM service, run the 
following command on the destination to analyse and configure the WinRM service:
"winrm quickconfig".

Whereas, same commands when I run on my local machine run correctly.

winrm id 
winrm get winrm/config
winrm get wmicimv2/Win32_Service?Name = WinRM

At most, all the problems I'm facing is on my remote machine. What is causing this to happen and how can I configure it to listen and connect successfully? Thank You.

Part II, I am now able to run these on one of my other remote machines with correct output.

I made some changes in this particular remote machine for which I had posted the question and so, it wouldn't run these commands until I fix the part I but besides that if nothing has been altered it will run just like it does on my other remote machines.

I would still appreciate if someone could help me with part I in which I have to get rid of 

Listener[Source=GPO]
..
.
ListeningOn=null

when I run the command 

winrm e winrm/config/listener

because this is what is causing issues but I'm not sure how to disable/remove Group Policy Settings.

Brad Larson
  • 168,330
  • 45
  • 388
  • 563
sanya
  • 233
  • 2
  • 3
  • 9
  • Does `telnet 5985` establish a connection? On which "local machine" do you get which output for `ListeningOn`? Did you run `winrm qc` on both hosts? – Ansgar Wiechers Jun 24 '13 at 21:32
  • Yes, I ran winrm qc on both (local and remote machine ) and they both provide me with correct output that winRM is setup. And I just made correction in my question,`ListeningOn = null` is on remote machine. – sanya Jun 24 '13 at 22:05
  • Check if there's a policy on the remote host preventing WinRM from listening. Did you try enabling the listener on the remote host? (`winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Enabled="true"}`) – Ansgar Wiechers Jun 24 '13 at 22:34
  • On using This command i get: `Error: Unknown switch: encodedcommand` `Error: Unknown switch: inputformat` `Error: Unknown switch: outputformat` `Error: Invalid use of command line. Type "winrm -?" for help.` – sanya Jun 25 '13 at 15:03
  • Please post the exact command you ran. – Ansgar Wiechers Jun 25 '13 at 15:05
  • This is the command I ran `winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Enabled="true"}` Also, I used this command but even this doesn't runs `winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"}` – sanya Jun 25 '13 at 15:34
  • Any suggestions for this ? @AnsgarWiechers – sanya Jun 26 '13 at 18:18
  • Only general troubleshooting advice: check policies, check eventlog, run command with another account, etc. Other than that I'm out of ideas. – Ansgar Wiechers Jun 26 '13 at 18:25
  • Alright. that's totally something I am working on right now. Thank you. – sanya Jun 26 '13 at 19:25

6 Answers6

18

To determine which group policy is configuring your WinRM you can run the following from an administrative command prompt:

gpresult /h result.html & result.html

In the displayed result, locate Windows Components/Windows Remote Management (WinRM)/WinRM Service. The Winning GPO is where you can enable/disable GPO settings. Use GPMC (Group Policy Management Console) to manage the Group Policy.

ListeningOn=null appears when an administrator has incorrectly configured the Group Policy IPv4 filter setting in Allow automatic configuration of listeners usually with an IP or network that does not exist on the affected Server.

Neossian
  • 636
  • 4
  • 12
9

To reset IP addresses (ListeningOn), you probably need to re-create the listener (remove the old HTTP listener and create a new one). Please find the example below.

In PowerShell:

Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}

Here is the syntax for the specific IP address to bind:

New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:192.168.100.2";Transport="http"}

In Command Prompt:

winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm create winrm/config/Listener?Address=*+Transport=HTTP

Further reading:

Related question: Allow PowerShell remoting only from one address.

kenorb
  • 118,428
  • 63
  • 588
  • 624
5

I had the same issue and found that when the GPO Setting: Allow remote server management through WinRM had an IPv4 filter set to the IP address of my jumphost the winrm e winrm/config/listener command generated the ListeningOn=null issue.

I solved this by setting the Filter to * and sorting the permissions on firewall level instead.

kenorb
  • 118,428
  • 63
  • 588
  • 624
Rutgervonapa
  • 51
  • 1
  • 1
1

I solved this changing a GPO, exactly as answered Neossian (sorry, no reputation to just add a comment). But "IPv4 filter" must not be empty, nor accepts CIDR notation (that was my huge mistake). As already said by Craneum, uses "*" for listen on any interface or some range of IP addresses your local network devices are connected (as "192.168.0.1-192.168.0.254" or something like that).

DO NOT USE "192.168.0.0/24" notation. Yes, the help section is very clear on that, yet I used the wrong notation.

helviojr
  • 21
  • 1
1

The thing is that the IP Range you are entering is not the range that has access to the system but defines the IP range that can be used as the WinRM interface by the system. Means you have to specify a range of IP addresses which includes all the client IPs the GPO is affecting.

Oliver
  • 11
  • 1
0

Ensure that you have a filter (IPv4 and/or IPv6) defined in the "Allow remote server management through WinRM" under [Computer Configuration]/[Policies]/[Administrative Templates]/[Windows Components]/[Windows Remote Management (WinRM)]/[WinRM Service].

I would suggest a filter of "*" for both IPv4 and IPv6 unless you know what you want to filter.

Craneum
  • 1,459
  • 1
  • 14
  • 20