Re: WinRM unencrypted via HTTP

gbuser · ‎09-02-2015

Hi,

I got a problem regarding WinRM and VMWare Orchestrator 5.5. and hope someone can help me.

When I add a powershell host using WinRM, HTTP I receive an error:

w:MaxEnvelopeSize xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">153600</w:MaxEnvelopeSize>

<a:MessageID xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">uuid:C3F974DC-F8C4-4AB5-A98F-3B3A29B25F08</a:MessageID>

<w:Locale xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

<p:DataLocale xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

<w:OperationTimeout xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">PT180.000S</w:OperationTimeout>

<a:Action xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>

<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>

<w:OptionSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">

<w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>

<w:Option Name="WINRS_CODEPAGE">437</w:Option>

</w:OptionSet>

</env:Header>

<env:Body>

<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">

<rsp:InputStreams>stdin</rsp:InputStreams>

<rsp:OutputStreams>stdout stderr</rsp:OutputStreams>

</rsp:Shell>

</env:Body>

</env:Envelope>

, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)

However I found out that it is working if I set the WinRm to "AllowUnencrypted" on the client.

Interestingly WinRM encrypted is working if I just remotely connect via powershell, therefore this seems to be a setting or limitation on the Orchestrator.

Is it by design not possible or do I miss a specific setting?

Madmax01 · ‎09-02-2015

Hello theire,

i didn't used Orchestrator so far.

But maybe that Helps:

VMware vCenter Orchestrator Plug-In Documentation Center

Best regards

Max

gbuser · ‎09-04-2015

Thank you for the hint. I already tested HTTPS and this is working as the encryption is then put to another level.

However there is a significant impact on simplicity as certificates must be auto-enrolled and they can not be automatically be extended because the certificate is "hardcoded" to the WinRM setting (this is the actual pain).

Therefore I hoped to find a solution that will allow encryption on WinRM application layer rather than on the protocol.

jarushepic · ‎09-07-2015

I had to enable unencrypted on my Windows hosts since it is disabled by default. You can check with:

winrm get winrm/config/service
winrm get winrm/config/client

REM enable unencrypted
winrm set winrm/config/service @{AllowUnencrypted="True"}
winrm set winrm/config/client @{AllowUnencrypted="True"}

Thats from a Windows Admin cmd prompt. If you use powershell, you'll need to escape a bunch - `@`{AllowUnencrypted=`"True`"`}

Typed that from memory, so syntax may be slightly off; should be able to find via google if I remembered wrong.

igaydajiev · ‎09-08-2015

WinRm to "AllowUnencrypted" set to true is requirement of the third party library used by PowerShell plugin. As far as I remember this requirement is documented in PowerShell plugin documentation

AllowUnencrypted=false is not supported.