Manage winrm settings with wsman provider

PowerShell Team

PowerShell remoting is built on top of Windows Remote Management (WinRM), which is Microsoft’s implementation of WS-Management protocol. You can use winrm.cmd command line tool to query and manage winrm settings. PowerShell V2 CTP3 contains a wsman provider for you to manage winrm settings with the standard *-Item cmdlets . Let’s try it out:

PS C:\> cd wsman:
PS WSMan:\> dir
   WSManConfig: Microsoft.WSMan.Management\WSMan::WSMan
ComputerName                                  Type
————                                  —-
localhost                                     Container
PS WSMan:\> cd .\localhost
PS WSMan:\localhost> dir | ft –auto
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost
Name                Value      Type
—-                —–      —-
MaxEnvelopeSizekb   150        System.String
MaxTimeoutms        180000     System.String
MaxBatchItems       32000      System.String
MaxProviderRequests 4294967295 System.String
Client                         Container
Service                        Container
Shell                          Container
Listener                       Container
Plugin                         Container
ClientCertificate              Container

At the top level of the wsman drive, you see a container named localhost, this contains all the winrm settings for the local computer. If you cd into localhost, you have six more containers (I put corresponding winrm command line in parentheses for your reference): client contains client side winrm settings ( winrm g winrm/config/client), service contains server side winrm settings (winrm  g  winrm/config/service), shell contains shell settings (winrm  g winrm/config/winrs), listener contains listener instances (winrm e winrm/config/listener), plugin contains  winrm plugin instances including the default microsoft.powershell plugin, and clientcertificate contains certificate mappings (winrm e winrm/config/service/certmapping). The *-PSSessionConfiguration cmdlets were actually built on top of wsman provider. Let’s try Remove-Item and New-Item on listener instances. Don’t  forget you can use tab completion to find out  dynamic parameters of New-Item for specific path in wsman provider.

PS WSMan:\> cd .\localhost\Listener
PS WSMan:\localhost\Listener> Get-ChildItem
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener
Name                      Type                 Keys
—-                      —-                 —-
Listener_98910385         Container            {Address=*, Transport=HTTP}
PS WSMan:\localhost\Listener> Remove-Item .\Listener_98910385 –Recurse
PS WSMan:\localhost\Listener> New-Item . -Port 8080 -Address * -Transport http
   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener
Name                      Type                 Keys
—-                      —-                 —-
Listener_98910385         Container            {Address=*, Transport=HTTP}
 

 Now let’s use set-item to change server side  winrm settings on a remote computer to allow CredSSP authentication. You can connect to remote winrm service using  connect-wsman cmdlet, remote computer name will show up at the top level of the wsman drive if the connection is successful.

PS WSMan:\> Enable-WSManCredSSP *
cfg         :
http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true
PS WSMan:\> New-PSSession weiwu-lh64.ntdev.corp.microsoft.com -cred $cred -Authentication credssp
[weiwu-lh64.ntdev.corp.microsoft.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify that the client computer and the destination computer are joined to a domain. To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by server:     Negotiate Kerberos
    + CategoryInfo          : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionOpenFailed

PS WSMan:\> Connect-WSMan weiwu-lh64
PS WSMan:\> get-item .\weiwu-lh64\Service\Auth\CredSSP
   WSManConfig: Microsoft.WSMan.Management\WSMan::weiwu-lh64\Service\Auth
Name                      Value                                              Type
—-                      —–                                              —-
CredSSP                   false                                              System.String
PS WSMan:\> set-item .\weiwu-lh64\Service\Auth\CredSSP true
PS WSMan:\> New-PSSession weiwu-lh64.ntdev.corp.microsoft.com -cred $cred -Authentication credssp Id Name            ComputerName    State    Configuration         Availability
 — —-            ————    —–    ————-         ————
  1 Session1        weiwu-lh64.n… Opened   Microsoft.PowerShell     Available
PS WSMan:\> Disconnect-WSMan weiwu-lh64
PS WSMan:\> Disable-WSManCredSSP

Enjoy!

Wei Wu[MSFT]
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

0 comments

Discussion is closed.

Feedback usabilla icon