6

I am trying to connect to the localhost using New-PSSession.

I have

  • Configured WinRM using

    winrm quickconfig

  • Enabled PS Remoting

    Enable-PSRemoting

  • Added Trusted Host

    Set-Item WSMan:\localhost\Client\TrustedHosts * -Force

  • There is an inbound rule on 8173 port on firewall.

Output of winrm:

PS C:\> winrm get winrm/config/listener?Address=*+Transport=HTTP
Listener
    Address = *
    Transport = HTTP
    Port = 8173
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    Listening on = 127.0.0.1

I am trying to run the following command:

New-PSSession -ConnectionUri http://localhost:8173/WSMAN

but I get this error: 

[localhost] Processing data from remote server failed with the following error message:
Error with error code 14 occurred while calling method WSManPluginReceiveResult. For
more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed

EDIT:

The only extra thing that I see is that the network is connected to public $listenerport = "8173" winrmwinrm create winrm/config/Listener?Address=*+Transport=HTTP "@{Port="$listenerport"}"

C:\>winrm get winrm/config
Config
    MaxEnvelopeSizekb = 1039440
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 8173
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-2458768215-3945602940-3262220185-1045)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 500
        EnumerationTimeoutms = 60000
        MaxConnections = 25
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = false
            Negotiate = true
            Certificate = true
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 180000
        MaxConcurrentUsers = 5
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 15
        MaxMemoryPerShellMB = 150
        MaxShellsPerUser = 5


PS C:\> Get-PSSessionConfiguration microsoft.powershell | fl *


xmlns            : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
Name             : Microsoft.PowerShell
Filename         : %windir%\system32\pwrshplugin.dll
SDKVersion       : 1
XmlRenderingType : text
lang             : en-US
PSVersion        : 2.0
ResourceUri      : http://schemas.microsoft.com/powershell/Microsoft.PowerShell
SupportsOptions  : true
ExactMatch       : true
Capability       : {Shell}
Permission       :

Administrators group have permission as I see in the window popup (Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI)

EDIT 2: Permissions

Nida Sahar
  • 698
  • 4
  • 13
  • 29
  • The default port is `5985`. How did yours get set to `8173` with `winrm quickconfig`? One thing that strikes me is that your output of `winrm get` is missing a line that mine has: `ListeningOn = 127.0.0.1, ::1` (mine also includes other IPs the server has). – briantist May 25 '15 at 15:52
  • Used winrm create winrm/config/Listener?Address=*+Transport=HTTP command and created a listener on 8173 port. Then added the firewall exception rule on 8173 port. And yes my output to contains the Listening on. Missed out. – Nida Sahar May 25 '15 at 18:22
  • Do any of the suggestions on http://powershell.com/cs/forums/t/11426.aspx help? – Keith Hill May 25 '15 at 18:31
  • Can you please post the exact command you used to create the custom listener? Without that, nobody can try to reproduce your problem. – Jan Chrbolka May 25 '15 at 23:19
  • Can you also post your client config? `winrm get winrm/config/client` – Jan Chrbolka May 26 '15 at 01:49
  • Also, the error specifies "WSManPluginReceiveResult" as the culprit. As far as I know, this happens after an initial session has been established. Can you check your session configuration? `Get-PSSessionConfiguration microsoft.powershell | fl *` Maybe you can try connecting with your own session config: `New-PSSession -SessionOption (New-PSSessionOption -NoMachineProfile) -ConnectionUri http://localhost:8173/WSMAN` – Jan Chrbolka May 26 '15 at 04:15

3 Answers3

6

By process of elimination, we can rule out firewall as an issue, as you are only connecting to the loopback address (127.0.0.1). We can also rule out WinRM configuration which looks fine.

The error message suggests that TCP connection to http://localhost:8173/WSMAN is actually successful, but fault occurs while establishing PS session.

This points to Microsoft.PowerShell session configuration.

Looks like there is a discrepancy in the permissions you see when looking at 

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

and the permission actually assigned to Microsoft.PowerShell. The output of

Get-PSSessionConfiguration microsoft.powershell | fl *

should have the "SecurityDescriptorSddl" and "Permission" proprieties listed. Like this:

Name                   : microsoft.powershell
Filename               : %windir%\system32\pwrshplugin.dll
SDKVersion             : 1
XmlRenderingType       : text
lang                   : en-US
PSVersion              : 2.0
ResourceUri            : http://schemas.microsoft.com/powershell/microsoft.powershell
SupportsOptions        : true
Capability             : {Shell}
xmlns                  : http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration
Uri                    : http://schemas.microsoft.com/powershell/microsoft.powershell
ExactMatch             : true
SecurityDescriptorSddl : O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
Permission             : BUILTIN\Administrators AccessAllowed

Try removing and reassigning these permissions.

EDIT:

Based on the information you have provided this is not the main problem. I have also noticed that you have a non standard "RootSDDL" in WinRM service settings.

RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;S-1-5-21-2458768215-3945602940-3262220185-1045)(AU;SA;GWGX;;;WD)

by default this should be

RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

I have recreated this on the test VM and Remoting still works. So I had another look at your WinRM configuration ...

Solution

Your problem is this line

MaxEnvelopeSizekb = 1039440

By setting this value I can replicate the issue you have. I would suggest to set this to something more reasonable, or to default.

winrm set winrm/config '@{MaxEnvelopeSizekb="150"}'

Will fix your problem.

Jan Chrbolka
  • 4,184
  • 2
  • 29
  • 38
  • Updated the question with the image of permissions – Nida Sahar May 27 '15 at 11:42
  • performed the following PS> Unregister-PSSessionConfiguration microsoft.powershell PS> Enable-PSRemoting PS> Get-PSSessionConfiguration microsoft.powershell | fl max* – Nida Sahar May 27 '15 at 11:58
1

setting the following worked for me after I upgraded to computers from win 10 1607 to 1708

the update changed the following reg key to 1, and setting it back to 0 worked for me

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
FilterAdministratorToken=dword:0
www
  • 38,575
  • 12
  • 48
  • 84
Brendan
  • 36
  • 2
0

In a "strict" IPV4 environent, we had the same Problem as well.

The reason was: WinRM (and other services) seem to use the IpV6-Loopback-Address even if ipv6 is disabled everywhere. (Which is no Problem, except with WinRM)

Hence, if there is no WinRM-Listener for the IPV6-Loopback Adress - you can't connect to localhost, even if WinRM is working from a remote-host.

dognose
  • 20,360
  • 9
  • 61
  • 107