2


After playing with the Microsoft Azure MDM Baselines I got blocked from using the Powershell for Exchange Online module .
I have removed myself one time, and after some reboots and some quick config all went well. But this time I'm still not able to do New-ExoPSSession, I'm stuck with no more ideas to troubleshoot this.
So I do:

Connect-ExchangeOnline -UserPrincipalName john.doe@thatnice.place

and get the:

New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the 
following error message : The client cannot connect to the destination specified in the 
request. Verify that the service on the destination is running and is accepting requests. 
Consult the logs and documentation for the WS-Management service running on the 
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the 
following command on the destination to analyze and configure the WinRM service: "winrm 
quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\0.3582.0\ExchangeOnl
ineManagement.psm1:401 char:30

I have removed my user and machine from all Azure Profiles, and I'm able to use this commands in other machine. So I started to change the Local GPOs to ensure all was in place:

PS C:\WINDOWS\system32> winrm get winrm/config


returns:

Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 30000
        URLPrefix = wsman
        AllowUnencrypted = true [Source="GPO"]
        Auth
            Basic = true [Source="GPO"]
            Digest = true [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = true [Source="GPO"]
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = * [Source="GPO"]
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true [Source="GPO"]
        Auth
            Basic = true [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = true [Source="GPO"]
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = * [Source="GPO"]
        IPv6Filter = * [Source="GPO"]
        EnableCompatibilityHttpListener = true [Source="GPO"]
        EnableCompatibilityHttpsListener = true [Source="GPO"]
        CertificateThumbprint
        AllowRemoteAccess = true [Source="GPO"]
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647


and

  PS C:\WINDOWS\system32> winrm enumerate winrm/config/listener


returns:

Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174,<a lot of IPv6>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174, <a lot of IPv6>

Listener [Source="Compatibility"]
    Address = *
    Transport = HTTPS
    Port = 443
    Hostname = ooo-VASCO
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.10.16.63, 127.0.0.1, 169.254.1.145, 169.254.5.162, 169.254.175.225, 169.254.235.174, ::1, <a lot of IPv6>


the

PS C:\WINDOWS\system32> Get-Item WSMan:\localhost\Client\TrustedHosts


shows:

WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts                   GPO             *


The event viwer saves this:

Event ID 11: WSMan API Call :: Creating WSMan shell with the ResourceUri: http://schemas.microsoft.com/powershell/Microsoft.Exchange and ShellId: bla-bla-bla

Event ID 254: :: Activity Transfer

Event ID 161: User authentication :: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".


even did a

C:\WINDOWS\system32>winrm invoke Restore winrm/Config 
Restore_OUTPUT



(edit)
and yes id did:> winrm quickconfig several times during the troubleshooting, but the result is:
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

(another edit)
With another profile in the same machine, the connection fails.
Using the same user in a new machine, connection is successful.


(edit after testing with other computer)
I was able to apply the same restrictive MDM policies on another device and revert them back.
the other device is connecting with basic authentication, but the problematic device still won't do the authentication even with it set to true, as seen in the current config:

PS C:\Windows\System32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = true [Source="GPO"]
            Digest = false [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false [Source="GPO"]
        Auth
            Basic = true [Source="GPO"]
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647


Can any one share some path for this?

Edit: Just moved to PS7 and the error changed a bit:

New-ExoPSSession: C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\0.3582.0\ExchangeOnlineManagement.psm1:401
Line |
 401 |  … PSSession = New-ExoPSSession -ExchangeEnvironmentName $ExchangeEnviro …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core,
     | Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'..

.

Ezeq
  • 53
  • 3
  • 7
  • I removed the information about the behavior in PS7 because they are not compatible: https://github.com/PowerShell/PowerShell/issues/11070 – Ezeq Mar 09 '20 at 17:32
  • Use 5.1 PS. Ran into the exact issue today with PS 7. Frustrating. Good luck! – Citizen Apr 24 '20 at 03:20

2 Answers2

0

This might due to winrm service not running. Run below cmdlet in cmd prompt to start winrm service.

Winrm quickconfig

and then try connecting Exchange Online.

Embry Fedora
  • 155
  • 5
  • Yes I did that step many times, during the troubleshooting. (I have put it in my question today) – Ezeq Mar 09 '20 at 10:24
0

First, in order to enable basic authentication in WinRM, WinRM service must be in running state. To start WinRM service, launch command prompt as administrator and run following command

Winrm quickconfig

Did you configure MFA? If yes, you could disable it for test. Please confirm if you are able to connect to Exchange Online PowerShell using the normal cmdlets below: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Reference: https://social.technet.microsoft.com/Forums/en-US/5d006906-c4f6-4929-9cb1-93339eef7cf0/exchange-online-error-identifier-is-not-in-a-valid-session-state-on-the-remote-computer?forum=onlineservicesexchange

Jayce
  • 769
  • 4
  • 5
  • hi; I edit my question to make it clear that i have done several times the reset with "Winrm quickconifg" with no success. As for removing the MFA and running the reference commands returns the same error. – Ezeq Mar 09 '20 at 10:48
  • You could create a new Windows profile for test. – Jayce Mar 10 '20 at 06:52
  • Other profile in the same machine, the connection fails. Same user in a new machine, connection is successful. – Ezeq Mar 10 '20 at 11:44
  • It seems to be Microsoft Azure MDM issue. – Jayce Mar 11 '20 at 09:09
  • it might be, but in the other computer I set the Basic authentication to false,did the expected failed connection, after it I set the Basic auth back to True and the policy was well applied because I was able to connect with no limitations: On the problematic computer that had the same policies applied to it, and that has them applied as one can see from the get winrm/config still gives the error – Ezeq Mar 13 '20 at 13:46
  • If only this computer had this issue, the more quick way is to rebuild OS for it. – Jayce Mar 16 '20 at 07:39
  • Sorry for my late reply. Yes it's true, but this was on a test device, the idea is to get a grip of the situation an solve if it happens in other places. thanks – Ezeq Mar 29 '20 at 19:16