WinRM doesn't work from one host?

I’m trying to do some powershell remoting and having issues from one host.

I have winRM configured via GPO with trustedhosts *

Checking the client settings at WSMAN:\localhost\Client are identical between the machines that work, and the machine that does not. (5000, wsman, false, null, null, *)

From all of the servers except 1 I am able to use powershell remote commands against any other host (I’ve been using Enter-PSSession to test)

I have SSL/CredSSP authentication turned on and I have tried it with CredSSP and explicit credentials, and with passthrough non-credssp auth.

I have one SCVMM server that will not connect to anything else. It is in the same VLAN and subnet as the rest of the servers, no firewalls between. Windows firewall is turned off.

I can access the SCVMM server via winRM from any other computer, but from the SCVMM server I get the following error when I try to connect to any other computer:

Enter-PSSession : Connecting to remote server hypv3 failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession hypv3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (hypv3:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Running winrm qc results in:

WinRM service is already running on this machine. WinRM is already set up for remote management on this computer.

This is server 2012 and I’m not really sure what to do next. Anyone have any tips?

If you are using a custom port on your WinRM listener do not forget to specify -port with Enter-PSSession

Try also with specifying -Authentication Negotiate | Credssp | Kerberos (one of these 3) with Enter-PSSession

Check if your SCVMM server is in the OU where the GPO of the WinRM client is configured well.

P.S.: Do not use trustedhosts *, this is also not needed in domain environment.

P.P.S.: In a domain environment you can force Kerberos with GPO which encrypts the traffic. So the SSL option is not really needed and this makes it all easier.

I added the CredSSP/Trustedhosts entries when I was trying to get CredSSP working to resolve second hop issues with certain commands. If some of these are unnecessary/redundant I can review those settings, but they are not impacting any other servers connectivity.

All of the current settings are identical across the servers and I verified that GPO is being applied and client settings are identical in WSMAN:.

I have tried declaring the -authentication as credssp, kerberos and negotiate and receive the same error immediately from the scvmm server. From any other server all three work without issue.

Can you connect to the localhost on the scvmm server? (set up the winrm server on scvmm by running enable-psremoting)

Great test!

That failed also on the scvmm server. I think the client is truly fubar.

I can connect to the scvmm server from any other server, but it cannot connect to anything including localhost. I ran the enable-psremoting command (though it was already enabled) to see if it would shake anything loose but I still have the same errors after the fact.

I would compare the WinRM client registry settings with the other boxes:

Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\

Adjust if needed and restart WinRM service(!)

The registry keys match.

AllowCredSSP 1
TrustedHosts 1
TrustedHostsList *

Are the other boxes 2012 server as well? Do they have the exact same GPO’s applied (maybe it has something to do with kerberos enforcement)
Try to reinstall powershell with turning the feature off and on?

They are all server 2012, and the only difference for GPO is WSUS reboot policy (I double checked to policy settings to make sure nothing else is configured).

I will try reinstalling powershell now.

Sorry, I’m not sure how one would fully reinstall powershell on Server 2012. The windows features for powershell that are installed are all grayed out to remove and the OS ships with it natively. Is there a command I’m missing?