WinRM over OpenWSMAN Setup - Openwsman/openwsman GitHub Wiki
Windows Remote Management is one component of Windows Hardware Management features that manage server hardware locally and remotely.
The WinRM service configuration prepares a Windows client to be accessed by OpenWSMAN, e.g. the openwsman command line client
- Install Microsoft Windows Vista, Windows 7 or higher.
- Activate “Command Prompt” window with “Administrator privilege.”
- Click through to Start/All Programs/Accessories
- Right-click on Command Prompt
- Click on Run as administrator
- Press Continue button.
- Run the following “winrm” commands in the command prompt window to enable WinRM firewall exception:
winrm quickconfig
- Additionaly, security needs to be untightened bu enabling Basic Authentication and enabling unencrypted communication (required for testing only):
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}
Attn the above winrm commands will fail in Windows Server 2012 (with PowerShell2), you need to put the @{...} in single quotes like
winrm set winrm/config/service/auth '@{Basic="true"}'
(see here for a discussion)
Another way of setting winrm configuration values is via PowerShell (as an elevated process) and run
cd WSMan:\localhost\Service
set-item .\allowunencrypted $true
cd WSMan:\localhost\Service\Auth
set-item .\basic $true
The WinRM client configuration allows the winrm command line client on Windows to communicate with an OpenWSMAN service.
- Install Microsoft Windows Vista, Windows 7 or higher.
- Activate “Command Prompt” window with “Administrator privilege.”
- Click through to Start/All Programs/Accessories
- Right-click on Command Prompt
- Click on Run as administrator
- Press Continue button.
- Run the following “winrm” commands in the command prompt window to change the default settings:
winrm set winrm/config/client/auth @{Basic="true"}
winrm set winrm/config/client @{AllowUnencrypted="true"}
winrm set winrm/config/client @{TrustedHosts="192.168.1.100"}
Note: Replace the 192.168.1.100 with the host address of the server hosting the target OpenWSMAN service.
Attn the above winrm commands will fail in Windows Server 2012 (with PowerShell2), you need to put the @{...} in single quotes like
winrm set winrm/config/client/auth '@{Basic="true"}'
(see here for a discussion)
Another way of setting winrm configuration values is via PowerShell (as an elevated process) and run
cd WSMan:\localhost\Client
set-item .\allowunencrypted $true
cd WSMan:\localhost\Client\Auth
set-item .\basic $true
Verify the OpenWSMAN service is running on the target server. Run the following “winrm command” to test the connection:
winrm enumerate http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ComputerSystem -username:wsman -password:secret -r:143.166.157.213:8889/wsman -auth:basic
(Replace -username, -password, and IP address with appropriate values for your setup)
Output should look something like:
CIM_ComputerSystem Name = ZPB9K34 CreationClassName = CIM_ComputerSystem NameFormat = 'other' Dedicated = null ResetCapability = 1 PrimaryOwnerName = null PrimaryOwnerContact = null EnabledState = 2 OtherEnabledState = null RequestedState = 2 EnabledDefault = 2 TimeOfLastStateChange = null InstallDate = null OperationalStatus = null Status = null HealthState = 25 Caption = null Description ElementName = server1.domain.com
Tools available on Windows to debug WinRM requests
- wbemtest (Windows Management Instrumentation Tester, aka wbem browser)
- wmimgmt (Windows Management Instrumentation service config)
Follow this guideline to check for correct permissions.
If only 'identify' works for you but you cannot access other CIM namespaces via WinRM, then you need to adapt the security settings of WMI Control Properties. Follow step 3 in the resolution section of this guideline
Run Server Manager, choose Event Viewer from the Tools menu.
Inside 'Event Viewer', choose Applications and Services Logs from the left tree pane. Navigate to Microsoft, Windows
There is Windows Remote Management logging if the WinRM service is operational at all.
WMI Activity gives you a more detailed log about the actual WinRM requests.
See Collecting WinRM Traces blog entry at the Windows Management Infrastructure Blog
Beware - the WPP trace is binary :-/