Hey everyone! I'm trying to set up WinRM (HTTPS) to connect from my domain-joined machine to an Entra-joined device, but it's not working as expected. Here's my setup:
- The source machine is domain-joined.
- The target machine is Entra-joined and isn't part of Active Directory.
- I've opened port 5986 for HTTPS.
- A certificate is already installed on the remote device.
- I've configured a WinRM listener for HTTPS.
When I run the command `Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop`, I get an error saying the WinRM client can't complete the operation. It prompts me to check if the computer name is valid, and if it's accessible over the network, along with firewall exceptions.
A few things I've noticed:
- This setup works fine with other domain-joined machines using Kerberos.
- The Entra device isn't registered in our DNS, which seems normal for this setup.
- Name resolution fails unless I use the IP address directly.
I have a few questions:
1. Are there any limitations when trying to use WinRM from a domain device to an Entra-joined device?
2. What's the best authentication method to use here? Should I go with NTLM, Basic over HTTPS, or something else?
3. Is it mandatory for the Entra device to be registered in DNS, or can I just rely on the IP address or hosts file?
4. Are there any specific configurations I should make for WinRM when dealing with Entra-only devices?
I feel like there might be some fundamental aspect of WinRM authentication beyond AD/Kerberos that I'm missing. Any help would be appreciated! Thanks!
3 Answers
It sounds like you've got most of the setup right! One thing to check is whether the target Entra device has the IP address added to the trusted hosts in WinRM. You might need to run `Set-Item WSMan:localhostClientTrustedHosts -Value ` on your domain-joined machine. But I get it, you have a lot of devices and managing trusted hosts can be a pain! If you can, it might help to use Group Policy for that instead.
Don’t forget that WinRM uses multiple ports, so make sure your firewall isn’t blocking the necessary ones. Port 5986 and possibly others between 1024-65535 might need to be opened for your scenario. That could cause connectivity issues if they’re being filtered.
You definitely don’t need the dollar sign in the device name for `Test-WSMan`. It should just be the host name or IP. But yeah, it is strange that you can't resolve the name unless it's by IP. Maybe try adding it to your DNS if it's feasible? That could simplify things a lot.
Right! But for now, sticking with IP addresses or modifying the hosts file could be your best bet.
Setting up over 3000 devices would be a nightmare just for this! Maybe look into using WinRM with generated certificates instead; it might streamline your process.