I'm attempting to connect from a domain-joined machine to an Entra-joined device using WinRM over HTTPS. My setup includes a source machine that's domain-joined and a target device that's Entra-joined, meaning it's not part of Active Directory. I've ensured that HTTPS through port 5986 is open, I've deployed a necessary certificate on the Entra device, and the WinRM listener is configured accordingly. Despite all these configurations, I'm running into issues when executing 'Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop', which returns an error stating that the WinRM client can't complete the operation. It suggests verifying the computer name and checks for network accessibility and firewall exceptions. I've noticed this works seamlessly with domain-joined machines utilizing Kerberos, but the Entra device isn't registered in our DNS, leading to name resolution failures unless I use the device's IP address. I've got a few questions: 1. Are there limitations when using WinRM to connect from a domain device to an Entra-joined device? 2. What's the best authentication method for this setup—NTLM, Basic over HTTPS, or certificates? 3. Is DNS registration necessary, or can I depend on using IP addresses or the hosts file? 4. Are there specific WinRM configurations required for devices that are solely connected through Entra? I feel like there's something basic I'm missing about WinRM authentication beyond the realm of AD and Kerberos. Thanks for any help!
4 Answers
It's important to note that DNS registration may not be mandatory if you're okay with using IP addresses or the hosts file for connections. But having DNS in place can simplify management and reduce the chances of errors, especially if devices are frequently changing.
You might want to ensure that when you're specifying the device name, usage of a '$' at the end could be required in some scenarios. I am not entirely sure if it's applicable with the Test-WSMan command, but it's worth checking out.
It looks like you might need to configure the device as a trusted host in WinRM settings. This allows the domain device to connect with the Entra device even though it's not part of the same domain. Just remember, if you have a lot of devices, this could be a hassle to set up across all of them, and you need administrative rights to make that change.
That's true! Setting that up for thousands of devices could definitely turn into a logistics nightmare.
Just a heads-up, WinRM requires several ports to be open for proper functioning. While you might have 5986 sorted out, you might also need to consider ports 135 and 445. There’s also a large range, from 1024 to 65535, that could be relevant depending on what you're doing. It's better to double-check your firewall rules to avoid connectivity issues.
Yeah, I'm curious about that too! Could you clarify where you think the '$' should be used?