In Windows Remote Management 2.0, all operations are handled as if they come from a remote computer. Therefore, the requests that use a destination of "localhost" require that the Windows Remote Management service is running and that the correct authentication methods are enabled.
Specifically, Windows Remote Management lets you configure which authentication schemes are allowed on both the client-side and on the server-side. These settings are as follows:
C:\Windows\system32>winrm get winrm/config/client/auth
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
C:\Windows\system32>winrm get winrm/config/service/auth
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = None [Source="GPO"]
Note The first example displays the authentication schemes that are allowed on the client-side, and the second example does the same on the server-side.
There are two possible situations where a user can effectively make Windows Remote Management inaccessible:
- If the user disables all authentication schemes for the service, the service no longer accepts requests from any client. In this situation, a Windows Remote Management operation cannot pass through the locked service. Therefore, the configuration settings cannot be changed.
- If the user disables all authentication schemes for the client, the client can no longer connect to any Windows Remote Management endpoint. In this situation, Windows Remote Management cannot connect to the local endpoint. Therefore, you cannot change the client-side settings.
Windows Remote Management supports an
invoke restore operation that sets back the configuration to the default settings. However, this operation has to use the service. Therefore, this operation is useless in the situations that were mentioned earlier.
If one of these situations occurs, the following can be done to restore Windows Remote Management to a usable state.
The user changes the relevant Group Policy settings to enable at least one authentication mechanism. The user can then run a
winrm command in order to enable all the necessary authentication mechanisms in both the client-specific and in the service-specific configuration settings. Then the user reverts the Group Policy settings back to their original state.
The relevant Group Policy settings can be found in the following location:
Administrative Templates > Windows Components > Windows Remote Management (WinRM)
The following are the relevant policies:
WinRM Client > Allow Basic authentication
WinRM Client > Allow CredSSP authentication
WinRM Client > Disallow Digest authentication
WinRM Client > Disallow Kerberos authentication
WinRM Client > Disallow Negotiate authentication
WinRM Service > Allow Basic authentication
WinRM Service > Allow CredSSP authentication
WinRM Service > Disallow Kerberos authentication
WinRM Service > Disallow Negotiate authentication
The following command examples enable particular authentication schemes on either the Windows Remote Management client or on the Windows Remote Management service:
winrm set winrm/config/client/Auth @{Basic="true"}
winrm set winrm/config/service/Auth @{Basic="true"}
Note These command examples enable Basic authentication.