EV Observe - Configure WinRM Monitoring Prerequisites

Last modified on 2023/06/05 19:56

WinRM (Windows Remote Management) is the remote management protocol for Windows servers

  • It is used to connect to machines and run PowerShell commands.
  • It is natively supported by all Windows machines.
     

To use service templates based on the WinRM protocol, specific prerequisites must first be met.

  • You configure these prerequisites once only.
  • This is done in two steps:
    • Enable the WinRM protocol to receive remote commands on the Windows server to be monitored
    • Configure the Box to perform Kerberos authentication when connecting to the Windows server via WinRM

Notes

  • The WinRM service will start by default on Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019.
  • The WinRM protocol is also used by the Discovery module on Windows machines.

Best Practice

  • Use the WinRM protocol instead of the Winexe service. Unlike this service, WinRM does not require any installation on the servers to be monitored and is not blocked by antivirus software.

Procedure: How to configure WinRM monitoring prerequisites

Step 1:  Enable the WinRM service to receive remote commands on the Windows server to be monitored

1. Log in to the Windows server to be monitored.

2. Run the PowerShell command below to check the WinRM service status.

Get-Service WinRM

The Running status indicates that the service is running. The Stopped status indicates that the service is stopped.

3. Start the WinRM service if it is stopped, i.e. Stopped status.

  • Run the PowerShell command below.
    Note: You must be in admin mode.

Enable-PSRemoting

  • Check that the Windows Remote Management (HTTP-In) firewall rules are enabled on the Windows server.
             Windows remote management rules configuration.png
     

Step 2: Configure the Box to perform Kerberos authentication when connecting to the Windows server via WinRM

To connect to the target machine, the Box will submit a Kerberos ticket request to the Active Directory and use it to connect to the server to be monitored. To ensure that the ticket request works correctly, the krb5.conf configuration file must be configured on the Box.

1. Run the command below to open the krb5.conf configuration file.

vim /etc/krb5.conf

2. Specify the information and replace the outlined values as indicated below.

  • Values outlined in red: Specify the complete domain of the client in the upper case.
  • Values outlined in green: Specify the DNS name of the Active Directory server in the upper case.
  • Values outlined in blue: Specify the complete domain of the client in the lower case. Caution: The domain name must be preceded by a full-stop (.).
             krb5 file configuration.png

3. Save your modifications.
 

Step 3: Check that the WinRM works correctly in the Box 

Step 3.a: Submit a Kerberos ticket request to the Active Directory

1. Submit a Kerberos ticket request to the Active Directory via kinit.

  • Run the command below and replace <CLIENT.DOMAIN.EN> with the complete domain of the client as specified in the krb5.conf configuration file.

kinit <user>@<CLIENT.DOMAIN.EN>

  • Enter the user password.

You will acquire a Kerberos ticket.

2. Run the command below to check the validity of the Kerberos ticket.

klist

The ticket acquisition date, expiry date and applicable domain will appear.

3. Correct any errors that occur if the ticket request fails and run the kinit command again.

kinit: Preauthentication failed while getting initial credentials

  • Cause: Authentication problem (user or password) when acquiring the Kerberos ticket.
  • Solution: Check the login, domain and password used.
     

kinit: Cannot find KDC for realm « DOMAIN » while getting initial credentials

  • Cause: Error in the domain name of the client.
  • Solution:
    • Check the name of the domain entered in the kinit command.
    • Check the name of the domain specified in the krb5.conf configuration file:
      • complete domain of the client in the upper case (value outlined in red)
      • complete domain of the client in the lower case (value outlined in blue)
         

kinit: Cannot contact any KDC for realm ‘user@DOMAIN’ while getting initial credentials

  • Cause: Error in the Active Directory server name.
  • Solution: Check the kdc and admin_server values specified in the krb5.conf configuration file. They must correspond to the DNS name of the Active Directory server and be in the upper case (value outlined in green).

 

Step 3.b: Check the connection on a Windows server via WinRM

1. On the Box, check the connection on a Windows server via WinRM.

  • Log in to the Box.
  • Run the command below and replace CLIENT.DOMAIN.EN> with the complete domain of the client as specified in the krb5.conf configuration file.

/usr/local/nagios/libexec/winrm_command.py -H '@IP_cible' -l '<CLIENT.DOMAIN.EN>/user' -x 'password' -c 'ipconfig' -t 'cmd' -a 'krb'

        Test WinRM connection command.png

  • The connection to the target server is working and returns the result of the ipconfig command.
  • All services based on the WinRM protocol can be run.

2. Correct any errors that occur if the connection to the target server is not working and run the test again.

Failed to establish a new connection: [Errno 111] Connection refused

  • Cause: WinRM is not enabled on the target server or the WinRM port is not open to traffic between the Box and the target server.
  • Solution:
    • Enable WinRM on the target server.
    • Check that the TCP/5985 port is open to traffic between the Box and the target server.
       

Connection to <IPaddress> timed out

  • Cause: The connection test does not work even though WinRM is correctly enabled on the target server.
  • Solution:  Check that the Windows Remote Management (HTTP-In) firewall rules are enabled on the server.
     

Server not found in Kerberos database

  • Cause: Problem with the DNS record. Kerberos relies on the DNS protocol. The target machine must have an A record and a PTR record.
  • Solution: Check that the nslookup tests are working on the Box.
    • Error: server can’t find myServer: SERVFAIL: The DNS record is incorrect.
    • Error: server can’t find 5.15168.192.in-addr.arpa: NXDOMAIN : The DNS PTR record is incorrect.
       

Insufficient WinRM rights

  • Cause: To connect remotely to a machine via WinRM, you must belong to the Administrators or Remote Management Users group in Windows 2012 and later. You can connect directly using the appropriate account, e.g. admin user for the domain, or you can authenticate as the administrator using the Credential parameter.
  • Solution: In Windows 2012 and later, add a registry key to the remote machine so that Administrators and Remote Management Users groups are authorized to connect via Remote PowerShell.
    • Go to the registry key, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem.
    • Add a DWord: LocalAccountTokenFilterPolicy key with the value, 1.

   Open url.png To find out more, see the relevant documentation on the Microsoft website.

Tags:
Powered by XWiki © EasyVista 2022