|
|
| Subject: | WinRM over HTTPS problems |
| Author: | [Not Specified] |
| Posted: | 2014-10-29 11:50 |
Zenoss version: 4.2.5 running on CentOS 6.5
Issue: WinRM does not work over HTTPS but works fine over HTTP
Target box: Windows server 2008R2
Other Info:
Firewall is off on windows box, iptables disabled on zenoss box
Certificate installed - CN=server1.domain.loc, server auth and client auth roles
Zenoss config below:
http://i.imgur.com/xCHk0Ic.jpg
Server WinRM config showing http and https listeners:
http://i.imgur.com/UDt3gFg.jpg
Error when using https:
"Unable to connect to server1. Please make sure zWinKDC, zWinRMUser and zWinRMPassword property is configured correctly"
As I mentioned, http works fine, not sure why https does not but I am hoping someone on these forums has successfully got WinRM over https to work.
Thanks,
Dan
| Subject: | It's not clear to me, but did |
| Author: | [Not Specified] |
| Posted: | 2014-10-29 14:21 |
It's not clear to me, but did you install a SSL cert on the windows host That's what's kept me from doing SSL WinRM, I can't go to every Windows server and install a SSL Cert...
James Pulver
ZCA Member
CLASSE Computer Group
Cornell University
| Subject: | Yeah, SSL certs are what are |
| Author: | Jay Stanley |
| Posted: | 2014-10-29 14:28 |
Yeah, SSL certs are what are preventing us from rolling out WinRM pack
| Subject: | yes, I did put a cert on the |
| Author: | [Not Specified] |
| Posted: | 2014-10-29 14:39 |
yes, I did put a cert on the windows box from our internal CA
| Subject: | I would add the rmservername |
| Author: | Jay Stanley |
| Posted: | 2014-10-29 14:42 |
I would add the rmservername zprop, if if that makes a difference
| Subject: | tried that, no luck |
| Author: | [Not Specified] |
| Posted: | 2014-10-29 14:50 |
tried that, no luck
| Subject: | packet captures are showing |
| Author: | [Not Specified] |
| Posted: | 2014-10-29 15:15 |
packet captures are showing the following:
Kerberos KRB-ERROR
MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Server Name (Service and Host): HTTPS/server1.domain.loc
Name-type: Service and Host (3)
Name: HTTPS
Name: server1.domain.loc
I'm doing some googeing but figured I would update with the error while I look. The PTR look up does return the correct DNS name: server1.domain.loc according to the packet before the above error.
edit: This packet is from zenoss talking to the domain controller, not the monitored device
| Subject: | Does DNS reverse lookup works |
| Author: | [Not Specified] |
| Posted: | 2014-11-01 09:16 |
Does DNS reverse lookup works for this host
It might have no relation to your problem, but for me Kerberos for AD authentication did not work until correct DNS reverse zones ...
| Subject: | Did you set the spn |
| Author: | [Not Specified] |
| Posted: | 2014-11-01 12:43 |
Did you set the spn for your box
You can check it at cmd with setspn -l server1.
If you don't see "HTTPS/server1.domain.loc", you have to set it with
setspn -s HTTPS/server1.domain.loc server1
| Subject: | Bingo!!! That was it. |
| Author: | [Not Specified] |
| Posted: | 2014-11-10 10:41 |
Bingo!!! That was it.
Thanks, Jhesse!
| < |
Previous lnstall Zenoss without removing mysql-libs |
Next OID does not work on Windows R2 Datacenter... |
> |
