3

I am trying to get two workgroup machines (both are Windows 2012 R2) to talk to each other using PowerShell via WinRM. Let's call them ServerA and ServerB. On both machines I ran the following commands:

  1. Enable-PSRemoting -Force
  2. Set-Item WsMan:\localhost\client\trustedhosts Server[A|B]
  3. Restart-Service WinRM

From ServerB I can connect remotely to ServerA using the Enter-PSSession ServerA command. However, I cannot connect in the other direction. ServerA cannot connect to ServerB. I get the following error message:

enter-pssession : Connecting to remote server ServerB failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + enter-pssession ServerB + ~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (ServerB:String) [Enter-PSSes sion], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

I also tried connecting a remote session to the server itself. I.E. from ServerB Enter-PSSession ServerB. I get the same error as above. I tried disabling both firewalls completely and that did not help either. I also tried doing a Test-NetConnection ServerB -port 5985 and that gives me a warning saying:

WARNING: TCP connect to ServerB:5985 failed

ComputerName : ServerB

RemoteAddress : ip

RemotePort : 5985

InterfaceAlias : Ethernet

SourceAddress : ip

PingSucceeded : True

PingReplyDetails (RTT) : 0 ms

TcpTestSucceeded : False

By using the Test-NetConnection command I do see an entry in the PowerShell Event Log that reads:

Error Message = Exception calling ".ctor" with "2" argument(s): "No connection could be made because the target machine actively refused it ip:5985" ...

What are some other steps I can take to troubleshoot this connection problem?

Dave
  • 139
  • 1
  • 1
  • 3
  • You mention workgroups, is there a reason you haven't joined these to a domain? Even in a lab environment a DC is easily stood up and recommended. Getting PSRemoting working between two non domain joined systems is notoriously painful due to the authentication issues. – Colyn1337 Apr 30 '16 at 09:29
  • "No connection could be made because the target machine actively refused it ip:5985" ... suggests that connections are blocked. Can you check that the winrm service is started on the host, and that the firewall is not blocking it. – Tom Feb 06 '18 at 10:16

2 Answers2

0

The winrm quickconfig command (or the abbreviated version winrm qc) performs the following operations: Starts the WinRM service, and sets the service startup type to auto-start. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

winrm quickconfig
Sum1sAdmin
  • 1,914
  • 1
  • 11
  • 20
0

Network seems to be the problem here. If TCP connection to port 5985 doesn't work there is no chance to get inbound PSRemoting to work.

Can you verify connection profiles (Get-NetConnectionProfile) on ServerB? On public network listener will default to local network only, resulting in issues when you try to connect from a machine in a different subnet. You can check that easily looking at inbound firewall rule:

$rule = Get-NetFirewallRule -Name WINRM-HTTP-In-TCP
Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $rule

You can check if the update to the rule that would allow any remote address will fix it:

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -RemoteAddress Any

Obvious question: why does it work in opposite direction. I suspect that other server has the network flagged as 'private'. In private networks AFAIR conne

BartekB
  • 666
  • 6
  • 9