gbuser
Contributor
Contributor

WinRM unencrypted via HTTP

Hi,

I got a problem regarding WinRM and VMWare Orchestrator 5.5. and hope someone can help me.

When I add a powershell host using WinRM, HTTP I receive an error:

w:MaxEnvelopeSize xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">153600</w:MaxEnvelopeSize>

    <a:MessageID xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">uuid:C3F974DC-F8C4-4AB5-A98F-3B3A29B25F08</a:MessageID>

    <w:Locale xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <p:DataLocale xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <w:OperationTimeout xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">PT180.000S</w:OperationTimeout>

    <a:Action xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>

    <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>

    <w:OptionSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">

      <w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>

      <w:Option Name="WINRS_CODEPAGE">437</w:Option>

    </w:OptionSet>

  </env:Header>

  <env:Body>

    <rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">

      <rsp:InputStreams>stdin</rsp:InputStreams>

      <rsp:OutputStreams>stdout stderr</rsp:OutputStreams>

    </rsp:Shell>

  </env:Body>

</env:Envelope>

, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)




However I found out that it is working if I set the WinRm to "AllowUnencrypted" on the client.

Interestingly WinRM encrypted is working if I just remotely connect via powershell, therefore this seems to be a setting or limitation on the Orchestrator.

Is it by design not possible or do I miss a specific setting?

0 Kudos
4 Replies
Madmax01
Expert
Expert

Hello theire,

i didn't used Orchestrator so far.

But maybe that Helps:

VMware vCenter Orchestrator Plug-In Documentation Center

Best regards

Max

0 Kudos
gbuser
Contributor
Contributor

Thank you for the hint. I already tested HTTPS and this is working as the encryption is then put to another level.

However there is a significant impact on simplicity as certificates must be auto-enrolled and they can not be automatically be extended because the certificate is "hardcoded" to the WinRM setting (this is the actual pain).

Therefore I hoped to find a solution that will allow encryption on WinRM application layer rather than on the protocol.

0 Kudos
jarushepic
Enthusiast
Enthusiast

I had to enable unencrypted on my Windows hosts since it is disabled by default.  You can check with:

winrm get winrm/config/service

winrm get winrm/config/client

REM enable unencrypted

winrm set winrm/config/service @{AllowUnencrypted="True"}

winrm set winrm/config/client @{AllowUnencrypted="True"}

Thats from a Windows Admin cmd prompt.  If you use powershell, you'll need to escape a bunch - `@`{AllowUnencrypted=`"True`"`}

Typed that from memory, so syntax may be slightly off; should be able to find via google if I remembered wrong.

0 Kudos
igaydajiev
VMware Employee
VMware Employee

WinRm to "AllowUnencrypted" set to true is requirement of the third party library used by PowerShell plugin. As far as I remember this requirement is documented in PowerShell plugin documentation


AllowUnencrypted=false is not supported.

0 Kudos