WinRM (HTTPS) 目标计算机返回“拒绝访问”错误

WinRM (HTTPS) 目标计算机返回“拒绝访问”错误

我刚刚在 Windows 10 计算机(家庭版 - 无组策略)中为 HTTPS 启用了 WinRM 服务。我首先通过 powershell 创建了一个自签名测试证书,并启动了一个 WinRM 侦听器(端口 5986,防火墙允许使用)。

我想在同一台机器上测试我是否可以通过以下命令(具有管理权限)启动交互式会话:

$so = New-PsSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$sess = New-PSSession -ComputerName 127.0.0.1 -UseSSL -SessionOption $so -CertificateThumbprint "14FEDEADE9785547C4C0EC986D42D0EF795BBA0C"
Enter-PSSession -Session $sess  

但是我收到以下错误:

WinRM client cannot process the request. The destination computer (127.0.0.1:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Basic   Negotiate   ClientCerts For more information, see the about_Remote_Troubleshooting Help
topic.

我还尝试使用从 .pfx 文件(在网络中的另一台计算机上)提取的私钥和证书来使用用于 Windows 远程管理的 Ruby 库,但是得到了WinRM::WinRMAuthorizationError.

输出如下winrm get winrm/config

Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = false
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

[编辑]:我刚刚从另一台 Windows 10 计算机上尝试过,这次错误不同:

New-PSSession : [192.168.0.29] Connecting to remote server 192.168.0.29 failed with the following error message : The server certificate 
on the destination computer (192.168.0.29:5986) has the following errors:      
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.

这真的很奇怪,因为该证书的有效期到 2020 年(因此错误消息并不真实)。

答案1

有时 WinRM 和“拒绝访问”问题是由证书配置无效引起的。
详细信息可以找到在微软

相关内容