Hey everyone! I'm trying to set up WinRM (HTTPS) to connect from a domain-joined machine to an Entra-joined device, which behaves kind of like a workgroup machine. Here's what I have so far:
- The source machine is domain-joined.
- The target machine is Entra-joined and not in Active Directory.
- Port 5986 (HTTPS) is open on the target device.
- I've deployed a certificate on the remote device.
- I've set up the WinRM listener for HTTPS.
Despite this setup, I'm hitting a snag. When I run the command "Test-WSMan -ComputerName 'xxx' -UseSSL -ErrorAction Stop", I get an error saying the WinRM client can't complete the operation. It suggests checking that the computer name is valid, it's accessible over the network, and that there is a firewall exception for the WinRM service.
Some relevant points:
- Everything works perfectly with domain-joined machines using Kerberos.
- The Entra device isn't registered in our DNS, which is expected.
- I can't resolve the name unless I use the IP address directly.
I have a few questions:
1. Are there limitations with using WinRM from a domain machine to an Entra device?
2. What's the best authentication method for this setup? Should I go with NTLM, Basic over HTTPS, or a certificate?
3. Is DNS registration necessary, or can I just use the IP and hosts file?
4. Are there special WinRM configurations needed for Entra-only devices?
I just feel like I'm missing something basic in understanding WinRM authentication beyond AD and Kerberos. Any insights would be greatly appreciated! Thanks!
3 Answers
You could be hitting a firewall issue—WinRM uses a range of ports, not just 5986. You'll want to ensure that other necessary ports are open. For monitoring tools, they might need a wider range like 135 and 445, plus any ports in the 1024-65535 range over TCP! Check your firewall rules!
You might want to check if you're specifying the correct device name format. Sometimes, appending a '$' at the end of the device name can help when connecting, especially in certain setups. It's worth a shot!
It could be that your WinRM settings are not optimized for an Entra-only setup. If the devices aren't in AD, you might also need to consider introducing NTLM instead of Kerberos, since they're not in the same domain context.
Where do you suggest adding that, though? In the Test-WSMan command?