WinRM不会连接到我域中的远程计算机
我正在尝试运行一个脚本,为我域中的用户远程安装一个程序。我可以在自己的计算机上很好地运行脚本,但是当我为域中的另一台计算机运行脚本时,我会得到
连接到远程服务器(计算机名)失败,出现以下错误消息: WinRM无法完成操作。验证指定的计算机名称是否有效,计算机是否可通过网络访问,以及是否启用了WinRM服务的防火墙异常并允许从此计算机进行访问。默认情况下,公共配置文件的WinRM防火墙异常限制对同一本地子网中的远程计算机的访问。有关更多信息,请参见about_Remote_Troubleshooting帮助主题。
我已经配置了winRM和winRM GPO,关闭了防火墙,但是我仍然收到相同的错误。我觉得我已经用尽了所有的选择,所以我希望得到一些帮助。
我尝试过的事情:
- 检查防火墙是否阻塞端口
- 通过域上的GPO配置winRM,ipv4和ipv6正在监听*
- 在两台计算机上启用-Force和winrm /quickconfig
- 运行winrm id -r:(mymachine),它在我的机器上工作,但在我试图远程处理的计算机上运行,因为我得到了错误:
WSManFault
Message = WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
Error number: -2144108250 0x80338126
WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.- 运行telnet (TargetMachine) 5985失败,连接到(ComputerName)...Could时未打开到主机的连接,端口5985:连接失败
- 当我运行'winrm get winrm/config‘和'winrm get wmicimv2 2/WinRM 32_Service?Name=WinRM’时,我得到以下输出:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = ()ComputerName)
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source="GPO"]
IPv6Filter = * [Source="GPO"]
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source="GPO"]
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Win32_Service
AcceptPause = false
AcceptStop = true
Caption = Windows Remote Management (WS-Management)
CheckPoint = 0
CreationClassName = Win32_Service
DelayedAutoStart = null
Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.
DesktopInteract = false
DisplayName = Windows Remote Management (WS-Management)
ErrorControl = Normal
ExitCode = 0
InstallDate = null
Name = WinRM
PathName = C:\WINDOWS\System32\svchost.exe -k NetworkService -p
ProcessId = 15760
ServiceSpecificExitCode = 0
ServiceType = Share Process
Started = true
StartMode = Auto
StartName = NT AUTHORITY\NetworkService
State = Running
Status = OK
SystemCreationClassName = Win32_ComputerSystem
SystemName = (ComputerName)
TagId = 0
WaitHint = 0- 我还可以在目标计算机上创建一个文件夹。但在目标计算机上执行程序安装失败。
我不记得我试过的每一件小事,但如果你提出建议,我可以证实我已经试过了。
我在网上遵循了很多建议,其中包括远程PowerShell,WinRM失败: WinRM无法完成操作
但还是..。没什么。
回答 3
Server Fault用户
发布于 2020-02-07 20:40:50
如果尚未在组策略/本地策略中配置允许的网络地址/受信任主机列表,这可能是原因之一。
管理模板> Windows >> WinRM服务
允许通过WinRM进行远程服务器管理
此策略设置允许您管理(WinRM)服务是否在网络上自动侦听通过默认HTTP端口发送的HTTP传输请求。
如果启用此策略设置,则WinRM服务将在网络上自动侦听通过默认HTTP端口的HTTP传输上的请求。
若要允许WinRM服务通过网络接收请求,请配置Windows策略设置,其中包含端口5985的例外(HTTP的默认端口)。
如果禁用或不配置此策略设置,WinRM服务将不会响应来自远程计算机的请求,无论是否配置了WinRM侦听器。
服务侦听由IPv4和IPv6筛选器指定的地址。IPv4过滤器指定一个或多个IPv4地址范围,IPv6过滤器指定一个或多个IPv6addresses范围。如果指定,则该服务枚举计算机上可用的IP地址,并且只使用属于其中一个筛选范围的地址。
您应该使用星号(*)来指示服务侦听计算机上所有可用的IP地址。使用*时,将忽略筛选器中的其他范围。如果筛选器为空,则服务不会侦听任何地址。
例如,如果希望服务只侦听IPv4地址,则将IPv6筛选器保留为空。
范围使用IP1-IP2语法指定。使用",“(逗号)分隔多个区域。
示例filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562过滤器:\n 2.0.0.1-2.0.20,24.0.0.1-24.0.22 IPv6过滤器
管理模板> Windows >> WinRM客户机
受信任主机
此策略设置允许您管理(WinRM)客户端是否使用可信主机列表中指定的列表来确定目标主机是否为受信任实体。
如果启用此策略设置,则WinRM客户端将使用在受信任主机列表中指定的列表来确定目标主机是否为受信任实体。当不使用HTTPS或Kerberos验证主机的身份时,WinRM客户端将使用此列表。
如果禁用或不配置此策略设置,且WinRM客户端需要使用受信任主机的列表,则必须在每台计算机上本地配置受信任主机的列表。
Server Fault用户
发布于 2020-04-15 20:20:51
因为您可以创建文件夹,但不能安装程序,所以可能需要更改执行策略。
Set-ExecutionPolicy RemoteSigned -forceServer Fault用户
发布于 2022-01-24 22:49:25
还请检查ssl证书配置??在启用https侦听器时与拇指打印相关联,在我的示例中,配置了错误的拇指打印。
https://serverfault.com/questions/1002098
复制相似问题
腾讯云开发者
