Setup for Hyper-V, VMM, Exchange Targets - Enable WinRM Manually with Troubleshooting steps

Document created by bsong Expert on Jun 7, 2016Last modified by kelly.ebdon@turbonomic.com on Jun 20, 2019
Version 27Show Document
  • View in full screen mode

Enabling WinRM is required to connect to Hyper-V, VMM, or Exchange targets. To enable WinRM manually on a target, just run the following commands via PowerShell.

 

Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True

Set-WSManQuickConfig -Force

 

Optional - the following command is only needed for local users:

Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True

 

To enable multiple Hyper-V, VMM, Exchange targets in GPO please follow this link:  WSMan service configuration using domain GPO

 

However, if you would like to use Secure connection via HTTPS then follow this article: WSMan/WinRM over HTTPS service configuration

 

IMPORTANT:  Turbonomic requires open bidirectional access over ports 5985, 5986 to validate and discover Hyper-V hosts and VMM. Additionally, if you are adding a VMM target, you still need to enable WSMAN / WinRM on both the VMM and all the underlying Hyper-V hosts as well. Also, make sure that the user has administrator permissions on Hyper-V and VMM as well. To add a Hyper-V / VMM target please make sure to put the target name using "Fully Qualified Domain name" and the username should not contain the domain name. 

 

 

TROUBLESHOOTING :

 

1)  If targeting is still failing when not using Secure connection, it is good to confirm that "AllowUnencrypted" has been set to "true". Oftentimes, this setting is still set to "false" and will prevent targeting. You can run the following PowerShell command to confirm that in the Service category, AllowUnencrypted is set to "true":

 

winrm get winrm/config/service

 

 

IMPORTANT:  For Hyper-V/VMM we need to have an administrative user (administrator) who is part of the active directory domain as we use kerberos system to validate the credentials. To check the permissions of the user and confirm it is able to go through a kerberos check, you can run the following command in PowerShell on a different host to the host in question:

 

Get-WSManInstance wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName hp-             dl591.corp.vmturbo.com -Authentication Kerberos -Credential john.doe@corp.vmturbo.com

 

      ( Here, replace hp-dl591.corp.vmturbo.com with the actual host having this issue and john.doe@corp.vmturbo.com with the real username)

 

To use an IP Address for the target, we need to have SPN for the host. To do this, we need to add SPN for Hyper-v / VMM by doing the following step: 

setspn -A PROTOCOL/ADDRESS:PORTWINDOWS-HOST
Example: setspn –A WSMAN/10.99.9.2 VMM-02

Note: PORT is optional

   You can also run the following PowerShell command to check whether the permissions of the user is set to administrator:

winrm configSDDL default
4 people found this helpful

Attachments

    Outcomes