How to force WinRM to listen interfaces over HTTPS


Windows Remote Management (WinRM) is a protocol for Windows operating systems which is implemented as a web service and is used for secure remote management of systems. Following actions depends on WinRM configuration;

  • Windows Remote Shell command line tool
  • Winrs
  • Event Forwarding
  • Windows PowerShell 2.0 Remoting

WinRM service starts automatically on Windows Server 2008 but by default no listener for WinRM is configured. That means no WS-Management protocol message can be received or sent.

Default ports for WinRM 2.0 are;

HTTP: 5985

HTTPS: 5986

For those who are interested in PowerShell scripting, PowerShell remoting is a great and helpful feature which comes with 2.0 version. PsRemoting provides to execute powershell scripts on remote computers over WinRM protocol. Even you are in your local PowerShell console, you can run any scripts and these will be executed on remote computers. And each remote connection resides in a session that you can manage separately.

But be aware of that if you want to get some actions on a operating system that uses WinRM, you must configure  required prerequirements. In this blog post we’ll cover how to configure WinRM to work over HTTPS. So that for example you can execute your powershell scripts on remote computers over HTTPS with certificate based authentication. This will also help you to configure mutual authentication between untrusted computers that uses WinRM for communication.

For basic configuration, simply run WinRM qc(quickconfig) command.

image

This is a shortcut to configure winrm to work over http. Running this command takes following actions;

  • Creating a WinRM listener on HTTP://* for local networks.
  • Enabling firewall exceptions for WinRM

After you configure with QuickConfig command you can enumerate listener status;

image

As you see above, it listens over HTTP and for all network interfaces. But what we want is to configure HTTPS communication.

HTTPS communication requires certificate based authentication. For Windows Remote Management, each computer that will be managed with WinRM must have a Server Authentication certificate.

Most important point is that certificate must have a subject name same with computer netbios name(workgroup) or FQDN(domain joined). You can use Web Server Template in your certificate templates store. My suggestion is just duplicate your web server certificate and configure it as its private key exportable.

Now let’s request a certificate from local Certification Authority step by step.

 

image

Type your local CA URL in your browser and click Request a certificate.

image

Click  advanced certificate request.

image

 

image

Choose your custom Server Authentication template and fill up the fields.

Don’t forget to set Name field same as your computer name. If it’s a domain joined computer, type your fully qualified domain name. Otherwise netbios name will be enough.

 

image

When you click Install Certificate on your browser, certificate will be sent to Current User account store. We should export it with private key and then import to the computer account store again.

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

Check your certificate Subject name if it matches with your computer name.

image

 

To configure WinRM over HTTPS we need Server Authentication certificate thumbprint.

Just open your certificate that you import earlier and note thumbprint details.

image

 

Now we can run following winrm command to create winrm listener and configure it to work with previously created certificate.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="serverfqdn";CertificateThumbprint="1fd53031caf98df226428069ccfdf3152b6ddc2b"}

 

image

Check for the ResourceCreated output.

Now lets enumerate listener again;

image

As you see above, listener sends and receives messages over HTTPS.

From now on, WinRM connections will be active.

If you try to start Remote PowerShell session between two computer that uses certificate based WinRM, you will notice that it opens and listens connections over port 5986.

image

image

As I mentioned before this method also can be used between a domain joined computer and workgroup computer. And please note that, If you don’t configure required authentication method, WinrM first tries to communicate over Kerberos.

Comments (12)

  1. PolishPaul says:

    How about configuring this via GPO? I'm not able to find a way to control this using GP.

  2. PolishPaul says:

    Is it possible to use Server Manager to connect to another computer using only HTTPS?

  3. Yanar says:

    Please Can you explain how to configure CA ?

  4. Bradford says:

    It would be nice… nay *utterly and completely necessary* to state that Active Directory Certificate Services needs to be installed on a DC or other system as a prerequisite to following these instructions. Just putting "http://X.X.X.X/certsrv"
    into the browser of a target system just leads to "page cannot be displayed" error. There’s a huge step missing here, and it’s required to execute the above instructions. May be a nice link on how to configure a local Certification Authority would be helpful..
    or just sane.

  5. Jasmine says:

    http://10.0.0.100/certsrv can’t be browsed. Where can I create the certificate?

  6. Chris says:

    You need a Certificate Server, or rootCA for your domain to follow this guide.

  7. showbox says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android.
    The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.

  8. Sean says:

    I am trying to do the HTTPS setup on 2012 R2 servers. I have the proper certificate in the computer store and thumbprint mapped in the listener correctly. When I delete the HTTP listener server manager tells me that my server within the server group may
    need to have WinRM configured… I have disabled all firewalls and HIPS/ NIPS and verified the port is open, still communication is cut when I switch to HTTPS only…For 2012 R2 systems is there something different that needs to be done?

  9. Sean says:

    To add more insight on my question:
    When I delete the HTTP listener it marks the remote management in server manager as disabled, when I enable it the HTTP listener is re-installed. In short it appears that Windows 2012 R2 server manager requires HTTP for remote management… Is there a way to
    make server manager use HTTPS instead?

  10. damyang says:

    What about when Certificate is not based on Template using "Legacy Cryptographic Service Provider" but is based on "Key Storage Provider" RSA. Is there possibly any known issue?

    Without much of a research – yet, this could be the problem:

    Error number: -2144108414 0x80338082

    The WS-Management service cannot find the certificate that was requested.

  11. deena says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.movieboxapkdownload.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows,
    Cartoons and many more such things on your smartphone.
    http://www.aptoideapkdownload.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble.

    http://www.vidmatedownloadapk.com/

    Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.

    http://www.shareitforpccdownload.com/

    http://www.shareitforpccdownload.com/shareit-for-pc-windows-10-8-1-7-mac-free-download/

    SHAREit for PC lets you transfer files between devices like phones, tablets and computers. With the wide area of sharing compatibility, sharing across anything is easy now. This is the best and the fastest alternative for USB sharing.

  12. Saurabh Jain says:

    This is a great blog……Thanks so much