Windowsserverdocs: Server Management lost after enable Role-based access control trough WAC

Created on 16 May 2018  Â·  8Comments  Â·  Source: MicrosoftDocs/windowsserverdocs

I have enabled RBAC trough WAC in WAC server. The process fail and WAC server isn't manageable through WAC website.
At WAC server side, in ServerManagementExperience this event is registered:

400 - PSRemotingTransportException: Connecting to remote server SERVERNAME failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.

And wirm qc command executed in WAC server returns:
WSManFault
Message = WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.

Error number: -2144108250 0x80338126
WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.

WINRM Firewall rules are created and I tried disabling Firewall too but the problem persist. WAC server is accessible and WAC website works perfect with others server.


Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

WAC answered assigned-to-author help wanted

Most helpful comment

@sergiomartinezconde Thanks for sending the log details! Can you run rsop.msc and check if the following group policy is set?

Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials

This policy is sometimes set when the security baseline policy published by Microsoft is applied to a machine. While JEA (the PowerShell feature underlying WAC RBAC) does not actually store any credentials, WinRM sometimes mistreats the virtual administrator account as storing credentials and therefore gets in an inoperable state once JEA is configured.

All 8 comments

Configuring RBAC will restart the WinRM service. It is possible the service failed to come back online in your case.
Are you able to connect to the server using the traditional Remote Desktop Connection, or via the local console? If so, please check to see if the WinRM service has crashed using services.msc or Get-Service WinRm in PowerShell

Hi Jeff

Yes I’m able to connect to the server using Remote Desktop Connection and Computer Management too.
WinRM service was stopped. If I start it, remains starting and after a few minutes stops.

These events are registered in event viewer:
Log Name: System
Source: Microsoft-Windows-WinRM
Date: 5/18/2018 9:13:40 AM
Event ID: 10119
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: COMPUTERNAME

Description:

The WinRM service is unable to start because of a failure during initialization.

Log Name: System
Source: Microsoft-Windows-WinRM
Date: 5/18/2018 9:13:40 AM
Event ID: 10149
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: COMPUTERNAME
Description:

The WinRM service is not listening for WS-Management requests.
User Action

If you did not intentionally stop the service, use the following command to see the WinRM configuration:

winrm enumerate winrm/config/listener

Log Name: Microsoft-Windows-WinRM/Operational
Source: Microsoft-Windows-WinRM
Date: 18/05/2018 9:13:40
Event ID: 210
Task Category: Winrm service start/stop
Level: Error
Keywords: Server
User: SYSTEM
Computer: COMPUTERNAME
Description:
The WinRM service is unable to start because of a failure during initialization. The error code is 0

@rpsqrd will you please take a look at this?

@sergiomartinezconde Thanks for sending the log details! Can you run rsop.msc and check if the following group policy is set?

Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials

This policy is sometimes set when the security baseline policy published by Microsoft is applied to a machine. While JEA (the PowerShell feature underlying WAC RBAC) does not actually store any credentials, WinRM sometimes mistreats the virtual administrator account as storing credentials and therefore gets in an inoperable state once JEA is configured.

Hi rpsqrd
Sorry for the delay in my answer but email notifications were in Junk folder.

You are right, Disallow WinRM from storing RunAs credentials is Enabled by a GPO.

This implies that we can't enable this policy if we want to use JEA?

Hi rpsqrd

There is any way to solve this issue?

Regards

Sorry for not responding earlier. Yes, it looks like you will need to disable the GPO policy that is configuring "Disallow WinRM from storing RunAs credentials" to unblock this. If you want to get back to your original state where RBAC was not configured but the GPO was applied, disable it temporarily, run the following command in PowerShell, then re-enable the policy.

Unregister-PSSessionConfiguration microsoft.sme.powershell -Force

It works!!!!

I have blocked the GPO to that server and I have executed the Powershell command and "Et voilà!". Server could be managed from WAC.

Thanks @rpsqrd for your help.

Regards

Was this page helpful?
0 / 5 - 0 ratings

Related issues

buzzywinter picture buzzywinter  Â·  5Comments

yoshihirok picture yoshihirok  Â·  4Comments

gynnantonix picture gynnantonix  Â·  5Comments

tgmoorhead picture tgmoorhead  Â·  4Comments

aurelien-git picture aurelien-git  Â·  3Comments