WSMan/WinRM over HTTPS service configuration

Document created by gp.deciantis Expert on Jun 10, 2016Last modified by fran.schwarzmann on Mar 3, 2017
Version 5Show Document
  • View in full screen mode

Many users would prefer to use a secure version of WSMan for communication between VMTurbo and Windows systems such as Hyper-V. To configure WSMan using HTTPS there are 3 steps:

  1. Create a certificate for the WSMan servers through Group Policy (GPO)
  2. Turn on WSMan through GPO
  3. Run a PowerShell script to enable the HTTPS listener on each server

 

Create a certificate for the WSMan servers through GPO

 

  1. Login to the AD domain controller server.
  2. Launch the Certificate Authority application
  3. Right-click Certificate Templates and click Manage. The Certificate Templates Console will appear.
  4. Right-click Web Server template and select Duplicate Template. The Properties of New Template dialog will open.
  5. In the dialog, select the General tab and type WinRM into the Template display name field.
  6. Select the Subject Name tab.
  7. Click the Build from this Active Directory Information radio button.
  8. Select Common name in the Subject name format drop down.
  9. Select the DNS Name check box
  10. Unselect the User principal name (UPN) check box
  11. Select the Security tab and add the group Domain Computers to list of users and groups.
  12. In the Permissions for Domain Computers  area check Read, Enroll, and Autoenroll.
  13. Click Ok to close the dialog.
  14. Close the Certificate Templates Console window.
  15. In the Certificate Authority application, right-click Certificate Templates and click New then click Certificate Template to issue. The Enable Certificate Templates dialog appears.
  16. Select the certificate template you created in steps 4-13 and click Ok.
  17. Open the Group Policy Management application on the AD Server.
  18. In the Group Policy Management navigation tree find the Group Policy Objects node under Forest \ Domains \ <Your Domain Name>.
  19. Right-click the Group Policy Objects node and click New. The New GPO dialog appears.
  20. Type in a name for the GPO such as CertificateEnrollment and click Ok.
  21. Expand the Group Policy Objects node and find the new GPO you created in steps 19 and 20.
  22. Right click the GPO and click Edit. The Group Policy Management Editor appears.
  23. In the folder go to Computer Configuration \ Policies \ Windows Settings \ Security Settings and click Public Key Policies.
  24. Double-click Certificate Services Client - Auto Enrollment. The Certificate Services Client - Auto Enrollment dialog appears.
  25. In the Configuration Model drop-down, select Enabled.
  26. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
  27. Select the Update certificates that use certificate templates check box and click Ok and then close the Group Policy Management Editor.
  28. In the Group Policy Management application, click the GPO that you created in steps 19 and 20.
  29. In the Security Filtering section click Add and add all the systems that will have WSMan enabled. You can do this by group or individual system.
  30. Right click your Domain Name in the tree view and then click Link to an existing GPO. Select the GPO that you created in steps 19 and 20 and click Ok.

Leave the Group Policy Management application open as we will need it configure WSMan.

 

Turn on WSMan through GPO

 

Now that the servers have their certificates we can enable WSMan on those servers.

 

WSMan service configuration will contains from the several steps:

  1. Right-click your domain and click Create a GPO in this domain, and Link it here... The New GPO dialog appears.
  2. Type in the name of the GPO such as Enable WSMan and click Ok.2.png
  3. In the Security Filtering section click Add and add all the servers where you want to enable WSMan.
    3.png
  4. Right-click the GPO in the tree and click Edit. The Group Policy Management Editor window appears.
  5. In the folder view go to Computer Configuration \ Policies \Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) and select WinRM Service.
  6. Double-click Allow automatic configuration of listeners. For Windows 2012 this will be called Allow remote server management through WinRM. A dialog will open.
  7. Select the Enabled radio.
  8. In the IPv4 filter field type *. Then click Ok.4.png
  9. In the folder view go to Computer Configuration \ Policies \Administrative Templates \ Windows Components and select Windows Remote Shell.
  10. Double-click Allow Remote Shell Access. A dialog appears.
  11. Select the Enabled radio and click Ok.
  12. In the folder view go to Computer Configuration \ Preferences \ Control Panel Settings.
  13. Right-click Services then click New then click Service. The New Service Properties dialog appears.
  14. In the Startup drop-down select Automatic.
  15. In the Service name field type WinRM.
  16. In the Service action drop-down select Start service and click Ok.7.png
  17. In the folder view go to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Windows Firewall with Advanced Security \ Windows Firewall with Advanced Security ...
  18. Right-click Inbound Rules and click New Rule. The New Inbound Rule Wizard appears.
  19. Select the Port radio and click Next.
  20. In the Specific local ports field type 5986 and click Next and then Next again.
  21. Uncheck Public and click Next.
  22. Type the Name of the firewall rule such as WinRM (HTTPS) and click Finish.
  23. Close all the applications.

 

Run a PowerShell script to enable the HTTPS listener on each server

Now that all the GPOs have been configured you need to wait a sufficient amount of time for the settings to propagate to the servers. If you wish to expedite the process, open a command line with administrator privilege on each server and execute the following command:

gpupdate /force

Once the group policies have been updated, you can now configure the HTTPS listener on the server.

  1. Open the PowerShell application as an administrative user
  2. Run the following commands:
$certThumbprint = ls Cert:\LocalMachine\My | select Thumbprint,EnrollmentPolicyEndPoint | where {$_.EnrollmentPolicyEndPoint.AuthenticationType -eq "Kerberos"} | select -first 1 Thumbprint 
new-item WSMan:\localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $certThumbprint

You may also set this up as a one time script run at logon if it is more convenient.

 

WSMan is now fully configured using HTTPS.

5 people found this helpful

Attachments

    Outcomes