How to Use WinRM Between Domain-Joined and Entra-Joined Devices?

0
2
Asked By TechieGuru42 On

Hey everyone! I'm trying to set up WinRM (HTTPS) to connect from a domain-joined machine to an Entra-joined device, which behaves kind of like a workgroup machine. Here's what I have so far:

- The source machine is domain-joined.
- The target machine is Entra-joined and not in Active Directory.
- Port 5986 (HTTPS) is open on the target device.
- I've deployed a certificate on the remote device.
- I've set up the WinRM listener for HTTPS.

Despite this setup, I'm hitting a snag. When I run the command "Test-WSMan -ComputerName 'xxx' -UseSSL -ErrorAction Stop", I get an error saying the WinRM client can't complete the operation. It suggests checking that the computer name is valid, it's accessible over the network, and that there is a firewall exception for the WinRM service.

Some relevant points:
- Everything works perfectly with domain-joined machines using Kerberos.
- The Entra device isn't registered in our DNS, which is expected.
- I can't resolve the name unless I use the IP address directly.

I have a few questions:
1. Are there limitations with using WinRM from a domain machine to an Entra device?
2. What's the best authentication method for this setup? Should I go with NTLM, Basic over HTTPS, or a certificate?
3. Is DNS registration necessary, or can I just use the IP and hosts file?
4. Are there special WinRM configurations needed for Entra-only devices?

I just feel like I'm missing something basic in understanding WinRM authentication beyond AD and Kerberos. Any insights would be greatly appreciated! Thanks!

3 Answers

Answered By HelpfulAdmin On

You could be hitting a firewall issue—WinRM uses a range of ports, not just 5986. You'll want to ensure that other necessary ports are open. For monitoring tools, they might need a wider range like 135 and 445, plus any ports in the 1024-65535 range over TCP! Check your firewall rules!

Answered By NerdyNetworker On

You might want to check if you're specifying the correct device name format. Sometimes, appending a '$' at the end of the device name can help when connecting, especially in certain setups. It's worth a shot!

SystemSavant88 -

Where do you suggest adding that, though? In the Test-WSMan command?

Answered By CleverCoder69 On

It could be that your WinRM settings are not optimized for an Entra-only setup. If the devices aren't in AD, you might also need to consider introducing NTLM instead of Kerberos, since they're not in the same domain context.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.