Hey everyone! I'm trying to set up WinRM (HTTPS) to connect from a domain-joined machine to an Entra-joined device, which seems to act like a workgroup machine. Here's the setup: I've got a domain-joined source machine and an Entra-joined target machine that isn't in Active Directory. The HTTPS port (5986) is open, a certificate is deployed on the remote device, and the WinRM listener is set for HTTPS. However, I keep running into issues. When I run 'Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop', I get an error saying the WinRM client can't complete the operation and to check the computer name and network accessibility.
I've noticed a few things: it works fine for domain-joined machines using Kerberos, the Entra device isn't in our DNS (which I guess is normal), and I can only resolve its name using its IP address.
I have a couple of questions:
1. Are there limitations on using WinRM from a domain device to an Entra device?
2. What's the best authentication method to use here (should I go with NTLM, Basic over HTTPS, or certificates)?
3. Do I need DNS registration, or can I just use the IP and hosts file?
4. Are there specific WinRM configurations needed for devices joined only to Entra?
I feel like I'm missing something crucial about how WinRM authentication works outside of AD and Kerberos. Thanks in advance for your help!
3 Answers
You might want to check the remote device's settings. Sometimes, you need to set the trusted hosts list on the domain machine to include the IP or name of the Entra device. That can really help with communication, especially when it’s not in the DNS. However, just a heads up, managing trusted hosts can get a bit tricky if you've got a lot of devices.
I think it's a good idea to try adding a dollar sign ($) at the end of the device name when you run the command. I’m not entirely sure if that’s a requirement, but it might help with recognition, especially in mixed environments.
Where do you think we should add that? In the Test-WSMan command?
Don’t forget that WinRM can use multiple ports. If you’re using it for WMI monitoring, like with tools such as Orion, you might need to open up ports 135, 445, and the whole range from 1024 up to 65535. Just make sure your firewall allows those connections.
Yeah, managing 3000 devices can be a nightmare with trusted hosts. You'd need local admin rights to set it, which complicates things a lot.