Fix WinRM Client Issues

My team manages a lot of Dell hardware. Over the years we’ve run into situations where we have to replace the system board on a host. The system board’s management interface, iDRAC, has a license key on it, and when you replace the system board it’s helpful if you can export the license key ahead of time. That way you can reimport it again easily without getting your sales team involved to reissue a key.

Unfortunately sometimes that’s not possible, such as when the iDRAC management interface is what died (my case today). Turns out that Dell has the “Dell EMC License Manager” (get it from support.dell.com under the Systems Management downloads for your hardware) which you can proactively take a copy of your licenses. Seems like a good idea, except I ran into arcane WinRM client issues due to security settings others had applied, and the Internet wasn’t very helpful. Maybe this will help others.

You get an error “The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.”

Open a PowerShell prompt as Administrator and run:

winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/client '@{AllowUnencrypted="true"}'

That’ll either work or…

You get an error “The config setting Basic cannot be changed because is controlled by policies. The policy would need to be set to ‘Not Configured’ in order to change the config setting.”

Edit your Group Policy (run gpedit.msc as an Administrator). Local Computer Policy, then Computer Configuration, then Administrative Templates, then Windows Components, then Windows Remote Management (WinRM), then WinRM Client.

Check to make sure “Allow Basic authentication” and “Allow unencrypted traffic” are set to “Not Configured.”

Repeat with the WinRM Service GPO if you’re having issues with incoming connections (see below).

Run “gpupdate /force” from a command or PowerShell prompt once you’re done editing.

It is also possible that the GPO settings are coming from an Active Directory. Fixing that is left as an exercise for the reader.

If you’re trying to configure incoming WinRM I found this helpful post and suggestions which led me to my fixes above:

winrm quickconfig -q
winrm set winrm/config/winrs ‘@{MaxMemoryPerShellMB=”512″}’
winrm set winrm/config ‘@{MaxTimeoutms=”1800000″}’
winrm set winrm/config/service ‘@{AllowUnencrypted=”true”}’
winrm set winrm/config/service/auth ‘@{Basic=”true”}’
Start-Service WinRM
set-service WinRM -StartupType Automatic

I can’t vouch for the security of this, and I’d definitely wrap it in a firewall on the host and the network, but I mention it in case you find yourself here in a search. The GPO solution works for the service, too.

Good luck.

2 comments… add one
  • Yes, we are aware of these settings in WinRM and have added it to our documentation. We’re also including this in a pre-req checker for DLM that will be in a future release.

    Reply
    • This wasn’t really a criticism of Dell’s software, since it was our folks that applied the CIS Security Benchmark to servers as part of a security effort & broke this. However, anything you can do to check the functionality would be wonderful. Thanks for considering it!

      Reply

Leave a Comment

%d bloggers like this: