2

I'm having partial success enabling WinRM through Active Directory GPO's on our Server 2008 R2 environment.

I've created a GPO that enables "Allow automatic configuration of listeners" and also enables all the necessary predefined WinRM Firewall rules.

This GPO works fine for our webservers. Indeed, this is reflected by the "Server Manager Remote Management" nicely flipping to "enabled" in Server Manager Server Summary.

However, the same GPO applied to both our Management servers, which are Domain Controllers, does not give the same result. I see the GPO settings being applied, including the listener as confirmed by 

C:\Windows\system32>winrm e winrm/config/listener
Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.32.40.210, 10.32.40.211, 10.32.40.212

But in Server Manager, Server Summary, Remote Management remains on "disabled" and indeed when trying to connect to one of these machines Server Manager gives an "Access Denied".

Manually enabling WinRM locally via Server Manager "Configure Server Manager Remote Management" on either of these machines works fine.

What can be the cause? Can it have something to do with theses machines being DC's and needing extra settings in the GPO?

Nick Reid

SaintNick
  • 111
  • 2
  • 9

2 Answers2

2

Thanks but if you had read my post you would see that I had already done exactly as you say. As it turns out, in our case it was not easy at all. The problem was, and still is, that Sql Server Reporting Server 2008 user claims the HTTP Kerberos SPN, which is therefore not available for the machine itself, which is what winrm needs. I wonder if they are aware of this conflict at Microsoft?

In summary SSRS 2008 R2 and WinRM are mutually exclusive because they both need the HTTP SPN configured differenty: WinRM at the machine level, SSRS at the domain account level.

SSRS 2008 R2 docs: http://msdn.microsoft.com/en-us/library/cc281382.aspx

SaintNick
  • 111
  • 2
  • 9
-1

It's actually quite easy.

There's three things you need to do in GPO's:

  1. Enable the "Allow automatic configuration of listeners" WinRM Service GPO.
  2. Make the Windows Remote Management service start automatically - also done with GPO.
  3. Add a firewall inbound rule (can also be done with GPO's if you use Windows Firewall)

This article explains it nicely with screenshots.

simonwh
  • 99
  • 1