I'm having trouble using WinRM (HTTPS) from my domain-joined machine to connect to an Entra-joined device that seems to operate like a workgroup machine. Here's my setup: the source machine is domain-joined, the target is Entra-joined and not part of Active Directory, HTTPS on port 5986 is open, I've deployed a certificate on the remote device, and configured the WinRM listener for HTTPS. Despite this, I'm running into issues. When I run the command 'Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop', I get an error saying that the WinRM client can't finish the operation. This happens despite the connection working fine with other domain-joined machines using Kerberos. Key points include that the Entra device isn't registered in our DNS, causing name resolution to fail unless I use the IP directly. My questions are: 1) Are there limitations using WinRM from a domain device to an Entra device? 2) What authentication method should I be using here? 3) Is DNS registration needed, or is relying on the IP and hosts file sufficient? 4) Are there any specific WinRM settings I need for Entra devices? I'm feeling like there's something crucial about WinRM authentication outside of the AD/Kerberos framework that I'm missing. Thanks!
3 Answers
You might want to check if your device name has a '$' at the end when using Test-WSMan. It’s a common detail that can trip you up! Not sure if it’s a must, but it’s worth a try!
You might want to configure the trusted hosts setting, but that can be a hassle if you have many devices. Plus, you'd need local admin rights to set it up, which complicates things a bit.
Yeah, managing trusted hosts for 3000 devices sounds like a nightmare! Any easier way around it?
Also, keep in mind that WinRM uses several ports for communication. In addition to HTTP/S ports, you might need to make sure other ports like 135, 445, and TCP ports from 1024 to 65535 are open if you're using WMI monitoring on tools like Orion.
Are you saying I should append that when specifying the computer name in the command?