I'm having trouble using WinRM (HTTPS) from a domain-joined machine to connect to an Entra-joined device, which is appearing as a workgroup machine. Here's my setup:
- The source machine is domain-joined.
- The target machine is Entra-joined, not registered in Active Directory.
- I've made sure that HTTPS (port 5986) is open and a certificate is deployed on the remote device.
- The WinRM listener is set up for HTTPS.
Despite this, WinRM isn't working. When I run the command `Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop`, I get an error message stating that the WinRM client cannot complete the operation and to check that the computer name is valid and accessible over the network.
Some important observations are:
- It works fine with domain-joined machines that use Kerberos.
- The Entra device is not registered in our DNS (which seems expected).
- I'm unable to resolve the name without using its IP address.
I have a few questions:
1. Are there limitations when connecting from a domain device to an Entra-joined device using WinRM?
2. What is the best authentication method for this scenario (should I use NTLM, Basic over HTTPS, or certificates)?
3. Is DNS registration necessary, or can I depend on IP/hosts file for name resolution?
4. Are there any specific WinRM configurations needed for devices that are only connected through Entra?
I think I'm missing something fundamental regarding how WinRM authentication works outside of a traditional AD/Kerberos context. Any help would be appreciated!
3 Answers
You definitely won't have DNS resolution since the Entra device isn't registered in your network—so using IP is the way to go. As for the authentication type, NTLM is commonly used in these cases, but it really depends on your security needs. Also, don't forget to ensure that the required ports for WinRM are open, as it does use several for different functionalities.
If you're running into issues consistently, double-check your WinRM configurations. Sometimes with Entra, there are more hoops to jump through than with AD-joined setups. Also, setting the trusted_hosts can help if you're working with non-DNS registered devices, but it could be a pain with a large fleet of devices.
It sounds like you're running into issues with how WinRM handles devices outside of a domain. One thing to consider is that WinRM may require specific configurations when dealing with Entra-joined devices. It might be worth checking if trust relationships can be established or if you need to use NTLM for authentication. Have you tried accessing the Entra device using its IP address directly in your commands?
I agree with checking the IP first. And yes, using NTLM is usually a good fallback for these situations!
Yeah, and make sure to check that the firewall settings on both ends are allowing traffic through those ports.