AnsweredAssumed Answered

Winrm  401/Unauthorized Does not Map to a Kerberos Realm

Question asked by David Waugh on Dec 4, 2017
Latest reply on Jun 26, 2018 by Con O'Donnell

Hi we have many windows servers in our environment, but for one server I cannot get winrm to work.

 

1) I have run the winrmconfig.ps script on the server. The output is all BLUE/Green and Yellow. The user has been specified

 

 

 

04/12/2017 14:20:21
CURRENT LISTENER(S) INFORMATION:

04/12/2017 14:20:21 Listener: Address = * Transport = HTTPS Port = 5986 Hostname =MYSERVER.MYDOMAIN.COM Enabled = true URLPrefix = wsman CertificateThumbprint = 2e 05 19 d9 45 6f f8 3e 59 7f 23 10 81 fc e7 d16a 70 9d fb ListeningOn = 10.X.X.X, 10.X.X.X, 127.0.0.1, 172.X.X.X, ::1

04/12/2017 14:20:21 SECURITY LOG ACCESS FOR NETWORK SERVICE ACCOUNT CHECK BEGINS(WINRM SERVICE USES THIS ACCOUNT TO READ EVENT LOGS)
04/12/2017 14:20:21 Network Service SID is already added to the Security Channel ACL (Security Analytics can collect Security Event logs using the myuser@MYDOMAIN account)
04/12/2017 14:20:21 SECURITY LOG ACCESS FOR NETWORK SERVICE ACCOUNT CHECK ENDS
04/12/2017 14:20:21
COLLECTION USER RIGHTS CONFIGURATION BEGINS...

04/12/2017 14:20:21 Domain: BOE
04/12/2017 14:20:21 Account: MYUSER
04/12/2017 14:20:21 Checking access to the WinRM WMI Plugin (necessary for SID resolution)
04/12/2017 14:20:21 Winrm WMI plugin SDDL:
<PlugInConfiguration xmlns="http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration" Name="WMI Provider" Filename="C:\Windows\system32\WsmWmiPl.dll" SDKVersion="1" XmlRenderingType="text" UseSharedProcess="false" ProcessIdleTimeoutSec="0" RunAsUser="" RunAsPassword="" AutoRestart="false" Enabled="true" OutputBufferingMode="Block"><Resources><Resource ResourceUri="http://schemas.microsoft.com/wbem/wsman/1/wmi" SupportsOptions="true"><Security Uri="" ExactMatch="false" Sddl="O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)(A;;GR;;;S-1-5-21-606747145-527237240-6123456789-123346)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)" /><Capability Type="Identify" /><Capability Type="Get" SupportsFragment="true" /><Capability Type="Put" SupportsFragment="true" /><Capability Type="Invoke" /><Capability Type="Create" /><Capability Type="Delete" /><Capability Type="Enumerate" SupportsFiltering="true" /><Capability Type="Subscribe" SupportsFiltering="true" /></Resource><Resource ResourceUri="http://schemas.dmtf.org/wbem/wscim/1/cim-schema" SupportsOptions="true"><Security Uri="" ExactMatch="false" Sddl="O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)" /><Capability Type="Get" SupportsFragment="true" /><Capability Type="Put" SupportsFragment="true" /><Capability Type="Invoke" /><Capability Type="Create" /><Capability Type="Delete" /><Capability Type="Enumerate" /><Capability Type="Subscribe" SupportsFiltering="true" /></Resource><Resource ResourceUri="http://schemas.dmtf.org/wbem/wscim/1/*" SupportsOptions="true" ExactMatch="true"><Security Uri="" ExactMatch="false" Sddl="O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)" /><Capability Type="Enumerate" SupportsFiltering="true" /><Capability Type="Subscribe" SupportsFiltering="true" /></Resource><Resource ResourceUri="http://schemas.dmtf.org/wbem/cim-xml/2/cim-schema/2/*" SupportsOptions="true" ExactMatch="true"><Security Uri="" ExactMatch="false" Sddl="O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)" /><Capability Type="Get" SupportsFragment="false" /><Capability Type="Enumerate" SupportsFiltering="true" /></Resource></Resources><Quotas MaxConcurrentUsers="100" MaxConcurrentOperationsPerUser="100" MaxConcurrentOperations="1500" /></PlugInConfiguration>
04/12/2017 14:20:21 setWmiSDDL looking for SID: S-1-5-21-606747145-527237240-6123456789-123346
04/12/2017 14:20:21 setWmiSDDL SDDL: O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)(A;;GR;;;S-1-5-21-606747145-527237240-6123456789-123346)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
04/12/2017 14:20:21 User myuser@MYDOMAIN with SID S-1-5-21-606747145-527237240-6123456789-123346 is already
added to the WinRM WMI Plugin SDDL (Security analytics can resolve SIDs with this account)

04/12/2017 14:20:21 Checking access to the CIM Root (necessary for Event log collection)
04/12/2017 14:20:21 Checking access to the CIM Root for SID S-1-5-21-606747145-527237240-6123456789-123346
04/12/2017 14:20:21 Setup call to GetSecurityDescriptor, parameters:
04/12/2017 14:20:21 Got acl
04/12/2017 14:20:21 Found trustee SID: S-1-5-21-606747145-527237240-6123456789-123346

04/12/2017 14:20:21 User myuser@MYDOMAIN with SID: S-1-5-21-606747145-527237240-6123456789-123346 is already enabled
for WMI access via WinRM (Security Analytics can collect Event logs using this account)

04/12/2017 14:20:21 Checking user myuser@MYDOMAIN membership to the Event Log Readers group
04/12/2017 14:20:22 Event Log Readers member: NETWORK SERVICE
04/12/2017 14:20:22 Event Log Readers member: MYUSER
04/12/2017 14:20:22 User myuser@MYDOMAIN is already a member of Event Log Readers group
04/12/2017 14:20:22
COLLECTION USER RIGHTS CHECK ENDS HERE...

04/12/2017 14:20:22 OS Version:

2) From the logcollector I can curl to the Server on port 5986 (the https port successfully)

3) I have looked in the steps of the winrm troubleshooting guide and can see that I have kerberos tickets for this service.

 

Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktWWLHCf
Default principal: winrm@MYDOMAIN.COM

Valid starting Expires Service principal
12/04/17 11:48:45 12/04/17 21:48:54 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 12/11/17 11:48:45

 

12/04/17 11:49:25 12/04/17 21:48:54 HTTP/myserver.mydomain.com@MYDOMAIN.COM
12/04/17 11:51:41 12/04/17 21:48:54 host/myserver.mydomain.com@MYDOMAIN.COM

 

4) I did a packet capture and can see that packets are flowing. But am wondering if there is an issue establishing the TLS connection

 

 

5) winrm get/winrm/config seems to be correct

6) I looked in the event log and saw the following

7) setspn -L hostname returns

C:\Windows\system32>setspn -L SERVER
Registered ServicePrincipalNames for CN=SERVER,OU=DEV,OU=Standard,OU=Member Servers 2012,DC=mydomain DC=com:
WSMAN/SERVER
WSMAN/SERVER.mydomain.com
TERMSRV/SERVER.mydomain.com
TERMSRV/SERVER
RestrictedKrbHost/SERVER
HOST/SERVER
RestrictedKrbHost/SERVER.mydomain.com
HOST/SERVER.mydomain.com

8) The packet capture reveals that there is an encryption alert 21

 

9) Windows Log is showing:

Does anyone have any ideas?

Outcomes