Helpforsure

Microsoft Windows Experts

Three ways to configure WinRM listeners. January 26, 2011


Configure WinRM Listeners through Quick Configure.

1.      Configuration HTTP listener and other actions to enable this machine for remote management:

winrm qc

2.      Configuration HTTPS listener and other actions to enable this machine for remote management:

winrm qc –transport:https (more…)

 

WinRM (Windows Remote Management) Architecture | Troubleshooting January 23, 2011


What is WinRM?

New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM & WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service. WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, I should note that BOTH computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.

While WinRM listens on port 80 by default, it doesn’t mean traffic is unencrypted. Traffic by default is only accepted by WinRM when it is encrypted using the Negotiate or Kerberos SSP. WinRM uses HTTP (TCP 80) or HTTPS (TCP 443). WinRM also includes helper code that lets the WinRM listener to share port 80 with IIS or any other application that may need to use that port.

WinRM with SCVMM uses Kerberos for authentication, and does not support fall-back to NTLM. There will be an error instead. If no credentials are specified, then the logged-on credentials are used to authenticate against the remote machine. This allows for a single sign-on experience.

 

What is WinRS?

Remote Shell, (WinRS) is used to execute a program on a remote host. Similar in operation to the former Sysinternals tool PSExec, WinRS leverages Windows Remote Management to let you launch processes on remote machines. For example, if you want to perform a directory listing on the system drive on a remote machine, you can remotely launch ‘dir’ using this syntax:

winrs -r:machinename dir

Another handy use of WinRS can be when installing software on remote systems. If you want to quietly install an application using an MSI file onto a remote machine, use the following syntax. This syntax assumes the MSI file has already been deposited into the C:\ folder.

winrs -r:machinename msiexec.exe /i c:\install.msi /quiet

When specifying the remote machine, the following are valid:

· Localhost

· NetBIOS name

· Fully Qualified Domain Name (FQDN)

· IP address

How to install WinRM

The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered.

(Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008)

· The WinRM service starts automatically on Windows Server 2008.

· On Windows Vista, the service must be started manually.

· UPDATE! Windows 2003 requires an update for WinRM

936059 An update is available for the Windows Remote Management feature in Windows Server 2003 and in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;936059

How to configure WinRM

To set the default configuration type:

winrm quickconfig (or the abbreviated version, winrm qc)

‘winrm qc’ performs the following operations:

1. Starts the WinRM service and sets the service startup type to auto-start.

2. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS.

(Note: Winrm quickconfig also configures Winrs default settings)

If ‘winrm qc’ throws an error:

If the firewall is disabled the quick config command will fail. The firewall can either be started in Services long enough to run ‘winrm qc’ or the commands below can be run:

sc config “WinRM” start= auto

net start WinRM

winrm create winrm/config/listener?Address=*+Transport=HTTP

netsh firewall add portopening TCP 80 “Windows Remote Management”

Group Policy configuration:

WinRM can be configured by group policies.

1. Type gpedit at a command prompt. The Group Policy Object Editor window opens.

2. Look for the Windows Remote Management and Windows Remote Shell Group Policy Objects (GPO) under Administrative Templates and Windows Components.

Troubleshoot WinRM

Common Issues:

1. If the ISA2004 firewall client is installed on the computer, it can cause a Web Services for Management (WS-Management) client to stop responding. To avoid this issue, install ISA2004 Firewall SP1.

2. Antivirus software can prevent proper WinRM communication. Disable antivirus software and reboot the machine if the Antivirus software is known to scan processes and protocols, or if there is any doubt about the software.

Test WinRM communication on the local and remote machines

This section addresses how to test whether WinRM is working on the local system, and whether it can communicate with the remote system. Test remote communication in both directions between machines.

Local communication:

Locate listeners and addresses: (No output means WinRM is not installed)

winrm e winrm/config/listener

Localhost Ping:

(Successfully completing this step pretty much insure complete access to WSMan on the local system)

Winrm id

Further:

Check state of configuration settings:

winrm get winrm/config

Check the state of WinRM service:

winrm get wmicimv2/Win32_Service?Name=WinRM

Remote communication:

Locate listeners and addresses:

winrm e winrm/config/listener

Remote Ping:

(Successfully completing this step pretty much insure complete access to WSMan on the remote system)

Winrm id –r:machinename

Further:

Check state of configuration settings:

winrm get winrm/config -r:machinename

Check the state of WinRM service:

winrm get wmicimv2/Win32_Service?Name=WinRM -r:machinename

Sample Commands

Here are some sample commands to play with. If you cannot get the ‘Test WS-Man…’ step to work, none of the steps following will work either (you’re probably not using the right credentials to access the remote machine). One more caveat, the remote commands work best on domain joined machines. For workgroup machines, the WinRM service needs additional configuration.

Description Command
Run from an Elevated Command prompt

 

Quickly configure the WS-Man service winrm QuickConfig
Quickly delete the WS-Man listener winrm invoke Restore winrm/Config @{}
Run from an standard Command prompt

 

Display your machine’s basic hardware info winrm enumerate wmicimv2/Win32_ComputerSystem
Display your operating system properties winrm get wmicimv2/Win32_OperatingSystem
Output your OS info in XML winrm get wmicimv2/Win32_OperatingSystem -format:pretty
Test WS-Man access to a remote machine** winrm id -remote:<some machine>
Grab a remote machine’s WS-Man config winrm get winrm/Config -r:<some machine>
Grab a remote machine’s CPU load winrm g wmicimv2/Win32_Processor?DeviceID=CPU0 -fragment:LoadPercentage -r:<some computer>
Grab a remote machine’s free memory winrm g wmicimv2/Win32_OperatingSystem -fragment:FreePhysicalMemory -r:<some computer>
Stop a service on a remote machine winrm invoke stopservice wmicimv2/Win32_Service?name=w32time -r:<some computer>
Start a service on a remote machine winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:<some computer>
Reboot a remote machine winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:<some computer>
Run a command on a remote machine (this uses winrS, not winrM) winrs -r:<some computer> ipconfig /all
Run from PowerShell

 

Use PowerShell to grab the WS-Man Win32_OperatingSystem XML output [xml]$osInfo = winrm get wmicimv2/Win32_OperatingSystem /format:pretty
Display the OS version property $osInfo.Win32_OperatingSystem.Version
Display the last boot time $osInfo.Win32_OperatingSystem.LastBootupTime.DateTime
Put free memory metric into an XML variable [xml]$freemem = cmd /c “winrm get wmicimv2/Win32_OperatingSystem -fragment:FreePhysicalMemory -f:pretty -r:<some computer>”
Display the free memory value $freemem.XMLFragment.FreePhysicalMemory

**Note: This step verifies that you have good connectivity to the remote machine, WS-Man is running and properly configured on the remote machine, AND you have the correct permissions to fully leverage WS-Man on the remote machine. If this step fails, it’s probably a permissions issue.

Advanced Concepts

URI Aliases

URI aliases can simplify the Winrm command line. The following URI aliases are supported:

wmi = schemas.microsoft.com/wsman/2005/06/wmi

wsman = wsman:microsoft.com/wsman/2005/06/

cimv2.9 = schemas.dmtf.org/wsman/2005/06/cimv2.9

cimv2 = http://schemas.microsoft.com/wsman/2005/06/wmi/root/cimv2

For example, the following command:

winrm get http://schemas.microsoft.com/wsman/2005/06/wmi/root/cimv2/Win32_Service?Name=WSMan

Gets replaced with:

winrm get wmi/root/cimv2/Win32_Service?Name=WinRM

Performing an Invoke Operation

‘Invoke’ initiates commands

winrm invoke StartService wmicimv2/Win32_Service?Name=WinRM -r:machinename @{}

This will likely return ‘ReturnValue = 10’ on a remote system where WinRM is running

WS-Man (WinRM) Architecture

The following diagram shows a high-level overview of the WS-Man (WinRM) architecture. In the diagram the ‘Client’ is querying the ‘Server’ for WS-Man information. Note that HTTP.sys and WinHTTP support the HTTP(s) transport for WS-Man, not IIS. In addition, IIS (or another web publishing service) can co-exist with WS-Man and share port 80.

Remember:

WinHTTP = Client

HTTP.SYS = Server

 

The Windows Remote Management architecture consists of components on the client and server computers. The following illustration shows the components on both computers, how the components interact with other components, and the protocol that is used to communicate between the computers.

 

Requesting Client

The following WinRM components reside on the computer that is running the script that requests data.

· WinRM application

This is the script or Winrm command-line tool that uses the WinRM scripting API to make calls to request data or to execute methods. For more information, see the WinRM Scripting API [ msdn.microsoft.com/en-us/library/aa384469(VS.85).aspx ] .

· WsmAuto.dll

The OLE automation layer that provides scripting support.

· WsmCL.dll

C API layer within the operating system.

· HTTP API

WinRM requires support for HTTP and HTTPS transport.

Responding Server

The following WinRM components reside on the responding computer.

· HTTP API

WinRM requires support for HTTP and HTTPS transport.

· WsmAuto.dll

The OLE automation layer that provides scripting support.

· WsmCL.dll

C API layer within the operating system.

· WsmSvc.dll

WinRM listener [ msdn.microsoft.com/en-us/library/aa384465(VS.85).aspx ] service.

· WsmProv.dll

Provider subsystem.

· WsmRes.dll

Resource file.

· WsmWmiPl.dll

WMI plug-in [ msdn.microsoft.com/en-us/library/aa384465(VS.85).aspx ] . This allows you to obtain WMI data through WinRM.

· Intelligent Platform Management Interface (IPMI) driver and WMI IPMI provider

These components supply any hardware data that is requested using the IPMI classes. For more information, see Intelligent Platform Management Interface (IPMI) Classes [ msdn.microsoft.com/en-us/library/aa390891(VS.85).aspx ] . BMC hardware must have been detected by the SMBIOS or the device created manually by loading the driver. For more information, see Installation and Configuration for Windows Remote Management [ msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx ] .

 

References

Installation and Configuration for Windows Remote Management

http://msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx

Windows Remote Management Command-Line Tool (Winrm.cmd)

http://technet.microsoft.com/en-us/library/cc781778.aspx

How can Windows Server 2008 WinRM & WinRS help you

http://windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-WinRS.html

The things that are better left unspoken Remotely managing your Server Core using WinRM and WinRS

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx

Redmond Print First Look WinRM & WinRS

http://redmondmag.com/columns/article.asp?EditorialsID=2262

Otto Helweg – Management Matters A Few Good Vista WS-Man (WinRM) Commands

http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

Windows Remote Management Architecture

http://msdn.microsoft.com/en-us/library/aa384464(VS.85).aspx

 

WinRM Basics


Windows Remote Management is the Microsoft implementation of the WS-Management Protocol. It uses SOAP (Simple Object Access Protocol) over HTTP and HTTPS, and thus is considered a firewall-friendly protocol. It was designed to provide interoperability and consistency for enterprise networks that have a variety of operating systems, to locate and exchange management information.

 

WinRM provides a command line interface that can be used to perform common management tasks, and also provides a scripting API so you can write your own Windows Scripting Host based scripts. In the background, WinRM relies on management data provided by WMI; however it makes the exchange of data much easier by utilizing the HTTP protocol.

 

Apart from WMI, WinRM utilizes the Intelligent Platform Management Interface (IPMI) driver for hardware management. The IPMI provider and driver enable you to control and diagnose remote server hardware through BMCs [Baseboard Management Controllers] even when the OS is not running or deployed. Effectively BMC is a chip connected to the processor board of a server; it has its own network adapter and hence can monitor the server in situations even when the server is malfunctioning.

 

So, here is some basic WinRM configuration info:

 

Basic Configuration:

 

First, to make WinRM work on the server we need the Windows Firewall to be enabled. Once that is done, open a command prompt and run the following command:

 

winrm quickconfig

 

This command performs configuration actions to enable this machine for remote management, which includes:

 

1. Starts the WinRM service

2. Set the WinRM service type to auto start

3. Create a listener to accept requests on any IP address

4. Enable firewall exception for WS-Management traffic (for http only)

 

When you configure WinRM on the server it will check if the Firewall is enabled. If so, it then enables the Firewall exception for WinRM. In case the Firewall is disabled, you should get the following error message

 

  • WSManFault
  • Message
  • ProviderFault
  • WSManFault
  • Message = Unable to check the status of the firewall.
  • Error number: -2147023143 0x800706D9
  • There are no more endpoints available from the endpoint mapper.

 

 

 

To list all the WinRM listeners, run this command:

 

Winrm enumerate winrm/config/listener

 

You can also get the configuration information of the Service, Client and WinRS by running the following command:

 

“Winrm get winrm/config”

 

Now let us look at the different operations that WinRM supports to access WMI data.

 

The list of currently supported operations is:

 

* GET

* PUT

* ENUMERATION

* INVOKE

 

Using the WinRM get command you can also query different services configuration running on the server.

 

Example

 

“Winrm get wmicimv2/Win32_Service?Name=spooler”

 

You can also use the WinRm get command to query the remote computer:

 

“Winrm get Winrm/config –r:remotemachinename”

 

Run this to query the service of remote computer:

 

“Winrm get wmicimv2/Win32_Service?Name=spooler –r:remotemachinename”

 

To reboot a remote machine:

 

“winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:<some computer>”

 

Start a service on a remote machine

 

“winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:<some computer>”

 

Additional commands are listed at the following link in case you are interested:

 

http://blogs.technet.com/b/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

 

I’ll also use this opportunity to discuss a recent issue I faced while working with WinRM, as I have seen multiple users complaining about similar issue when working with 3rd party apps that make use of WinRM. Hopefully this may help you if you have to tackle similar issues at a later stage.

 

In this specific issue the customer was using a 3rd party application to collect the event logs from servers located in different sites. The application uses WinRM to collect the event logs on Windows server 2008 and R2 Servers. This application also uses a service account using which it collects the logs. When they ran the application it failed and gave Access Denied errors. The customer was working on this case thinking this to be an application issue, as they were able to collect the logs from some Windows Server 2008 machines not others.

 

In order to narrow the issue down, we first logged in to the server using the service account and confirmed that this account did not have any obvious permission or logon issues. Now to remove the application out of the picture we checked if WinRM is able to connect to the remote server by itself. For this, we used the wevtutil tool try querying the event logs:

 

“winrs -r:http://<FQDN of the server> -u:username –p:password  “wevtutil  qe system”

 

First we used the Admin account credentials to query the event log and it worked correctly. Then we tried using the Service Account that the application was using and got an ACCESS DENIED. It seemed that the service account is missing some permissions on the target box. Since we were able to login correctly using this account earlier and also could do all other normal operations with this account, we suspected the issue to be something specific to WinRM or event log permissions. So, we started by comparing the “Channel Access” (read security setting) of the target machine with that of a working machine.

 

Below is the command to get the Channel Access information:

 

“wevtutil sl system /ca”

 

“/ca:<Channel>” sets the access permission for an event log. “<Channel>” is a security descriptor that uses the Security Descriptor Definition Language (SDDL).

 

By comparing against a working machine, we found that the Authenticated Users group had DENY permissions listed on the non-working box. Because of this, we replaced the Channel Access permissions on the non-working machine with that of the working machine. Now when accessing the event logs with the service account username and password we were able to successfully query. Once this was fixed, the application started collecting the event logs from all the servers.

 

So, in the end it wasn’t really a WinRM issue, but one might get that impression based on the symptom.

 

Hope this information was helpful. For more information on WinRM, please see:

 

Installation and Configuration for Windows Remote Management

 

http://msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx