I'm having trouble using WinRM (HTTPS) to connect from a domain-joined machine to an Entra-joined device, which appears to be in a workgroup. Here's my setup: the source machine is domain-joined, and the target machine is Entra-joined (not part of Active Directory). The HTTPS port (5986) is open, and I've deployed a certificate on the remote device. I've also configured the WinRM listener for HTTPS, but I still can't get it to work. When I try to run `Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop`, I receive an error saying that the WinRM client cannot complete the operation and to check if the computer name is valid and accessible over the network. It's important to note that this connection works fine with other domain-joined machines using Kerberos, and the Entra device isn't registered in our DNS, which I expected. Name resolution fails if I don't use the IP directly. So, I have a few questions: 1) Are there limitations when using WinRM from a domain device to an Entra-joined one? 2) What's the best authentication method in this case (NTLM, Basic over HTTPS, or Certificate)? 3) Do I need DNS registration, or can I depend on IP/hosts file? 4) Are there specific WinRM configurations necessary for devices that are only joined to Entra? I feel like I might be missing some key details about how WinRM authentication works outside of Active Directory or Kerberos. Any insights would be appreciated!
1 Answer
You're on the right track thinking about the device name. When using commands like `Test-WSMan`, sometimes you need to append a `$` to the device name, but I'm not entirely sure if that applies in your case. It could be worth testing just to see if it helps.
Where do you think that `$` would go in the command?