Post

2 followers Follow
0
Avatar

SPN configuration on Target host

Has anyone had experience with configuring SPN's on a target server, that allows WinRM to work.

We have a scenario where the DBA team have configured the http SPN to only be accessible for the Database Service account, this stopped the XL Deploy account connecting using WinRM.

Any and all help would be greatly appreciated.

William Bowsher

Please sign in to leave a comment.

1 comment

0
Avatar

Hello,

Do you still need help for this request ?

You have to add the SPN for the WSMAN (WinRM) Service for the service account and for the service host :

For your AD Account use for the WinRM connection, add these SPNs:

http://WINRMHOSTNAME.FQDN :5985
http://WINRMHOSTNAME:5985
http://WINRMHOSTNAME.FQDN :5986
http://WINRMHOSTNAME:5986

(TCP Ports for WinRM are per default 5985 and 5986)

For your host WINRMHOSTNAME (ShortName>NetbiosName and FQDN Name) :

WSMAN/WINRMHOSTNAME.FQDN
WSMAN/WINRMHOSTNAME
HTTP/WINRMHOSTNAME
HTTPS/WINRMHOSTNAME
HTTP/WINRMHOSTNAME.FQDN
HTTPS/WINRMHOSTNAME.FQDN

Don't forget to restart your winrm service (net stop/start winrm) and check if all SPN are correctly set in AD:
setspn -l ADUserAccount (WinRM connection)
setspn -l WINRMHOSTNAME
setspn -x (don't have duplicate SPNs)

And an another approach is to use a basic authentification for your WinRM connection and not a Windows/Kerberos authentification

Commande:
winrm set winrm/config/service/auth @{Basic="true"}

And for checking:
winrm e winrm/config/listener
winrm get winrm/config/service

Hope it will help you !

Regards

Fouzi BOUKEZZOULA 0 votes