Remote PS session fails on non-domain server

powershell

On client side

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

On server side

Enable-PSRemoting -Force
winrm quickconfig

for https

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

for http

winrm create winrm/config/Listener?Address=*+Transport=HTTP

Test with

Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

Edit: Set TrustedHosts with PowerShell

Or with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don't need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts

Your problem, as found in one of those error messages is:

If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.

Basically, you need to either set WinRM to use HTTPS (rather than the default HTTP), or add the machine you're connecting from as a Trusted Host on the machine you're connecting to.


I finally got mine to work... where xxx.xxx.xxx.xxx is the IP Address.

PS C:\Users\Administrator> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> winrm set winrm/config/client '@{TrustedHosts="xxx.xxx.xxx.xxx"}'
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = xxx.xxx.xxx.xxx

PS C:\Users\Administrator> Enter-PSSession  -ComputerName xxx.xxx.xxx.xxx -Credential "~\Administrator"
[xxx.xxx.xxx.xxx]: PS C:\Users\Administrator\Documents>

My issue was for an instance hosted in AWS.

  • I had to open 5985 on the instance security group

  • I had to modify the firewall rule to allow 5985 for all profiles and any remote address

    New-NetFirewallRule -Name PsRemotingHttp -Direction Inbound -Action Allow -Protocol tcp -LocalPort 5985 -DisplayName PsRemotingHttp

I worked this out when I ran test-wsman:

"By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet."

Related

How bad is it to run Exchange 2016 on a Windows 2012 R2 domain controller for a small organization with assuredly fewer than 25 users?
Are PCIE slots coupled with CPU slots?
"MySQL server has gone away" when attempting to import a large dump file
What happens when a load balancer fails?
Verify connectivity to a server on a UDP port
What's the difference between Mercurial's "tip" tag and the "default" branch
How to know storage engine used of a database?
Controlling Nginx proxy target using a cookie?
How to check when yum update was last run
Exclude a specific repo from YUM Update
Get postfix to forward root's mail
Reduce firewall rules by half - one iptables rule for tcp and udp