If you are trying to add a new Agentless Windows node via WinRM, or a node is suddenly failing to scan, there are some common problems you may be facing. The following topic describes the various methods available to solve recurring issues with HTTP/HTTPS WinRM nodes. The first step of solving any issue is to troubleshoot the connectivity of a node via PowerShell. Cloudhouse provide various scripts to test the connectivity and authentication of a node, see below for more information.
Test Connectivity
If you are experiencing any problems with your HTTPS WinRM nodes, the first thing you should do is check that the Connection Manager can establish a TCP connection to the node. To test basic connectivity, open a PowerShell prompt on the Connection Manager host and run the following command, changing the prod01.company.com hostname.
PS> Test-NetConnection -ComputerName prod01.company.com -Port 5986Responses and Solutions
If you have ran the above command, there are some common responses you may receive, see below for more information. However, if you are able to establish a TCP connection to the host and port, see Test Authentication.
RAW TCP Connection is Blocked
If the following error message is returned by the command, then port 5985 is either not listening, or a firewall is actively denying connectivity by replying.
PS> Test-NetConnection -ComputerName example.com -Port 5985
WARNING: TCP connect to example.com:5985 failedTo check if a process if listening on port 5985, log into the node itself and run the following command.
PS> netstat -an | findstr LISTENING
...
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
...You should see one of three entries in the response. If a process is listening on port 5985 for connections from any location, you can run netstat with the -b option to see which process is doing the listening. To do this, you need sufficient privileges set for the Windows service user account.
If you don't see an entry listing port 5985 as listening, you may need to install or enable your WinRM service. For more information, see WinRM Configuration.
If a service is running, then you need to check the Windows Firewall rules on the node itself. Then, check any network devices that live between the Connection Manager and the node.
Note: If you are unable to resolve the issue yourself, contact helpdesk@cloudhouse.com to speak to a Customer Success Engineer.
Node Hostname Cannot be Resolved to an IP Address
If the following error message is returned by the command, then the hostname prod01.payments.corp.local cannot be resolved via a DNS to an IP address.
PS> Test-NetConnection -ComputerName prod01.payments.corp.local -Port 5985
You cannot call a method on a null-valued expression.
...
$Message = "Name resolution of $TargetName failed
...To double check if the hostname cannot be resolved to an IP address, run the following command.
PS> nslookup prod01.payments.corp.localTo resolve this issue, you need to either confirm that the Connection Manager's host has the correct DNS servers configured, or that the Network Team have added the correct local DNS entry for the node’s hostname.
Test Authentication
If you tested the basic connectivity and were able to establish a TCP connection to the host and port, you then need to confirm that the username and password used to authenticate are correct. To test a username and password pair, open a PowerShell prompt on the Connection Manager host and run the following command.
PS> Enter-PSSession -ComputerName <String> -Credential (Get-Credential)The Get-Credential sub command then displays a pop up, where you can enter the username and password. Once you have entered the correct values, hit Enter to establish a remote PowerShell session.
Responses and Solutions
If you have ran the above command, there are some common responses you may receive, see below for more information.
Service's Remote Connection are Disabled via GPO
If the following error message is returned by the command, then access has been denied. In this case, the WinRM service is running on the node, but is configured to only accept local connections and will not accept remote connections.
PS> Enter-PSSession -ComputerName prod01.payments.corp.local -Credential (Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession : Connecting to remote server prod01.payments.corp.local failed with the following error message : The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests. For more information, see the about_Remote_Troubleshooting Help topic.To confirm if this setting is enabled via a GPO, run the following command via a Powershell prompt on the node.
PS> dir WSMan:\localhost\Shell\
...
System.String AllowRemoteShellAccess GPO true
...If the AllowRemoteShellAccess setting is set to 'false', then you are required to create and apply an 'Enable WinRM' Group Policy Object. For more information, see Enable WinRM via Group Policy.