Troubleshooting WinRM and Kerberos Delegation for WAC

Windows Admin Center (WAC) is a browser-based management tool. WAC simplifies the administration of servers, clusters, Windows PCs, and Azure virtual machines. In this article, we shall discuss “Troubleshooting WinRM and Kerberos Delegation for WAC”. How to upgrade Windows Admin Center 2306 – 2311: Install WACmg 2410. Here is how to setup Windows Admin Center Modern Gateway for Single Sign-On, and how to update Proxmox VE 9.0 now Supported by Veeam.

Note: When you install Windows Admin Center on Windows 10, it’s ready to use single sign-on. If you are going to use Windows Admin Center on Windows Serve, you need to set up some form of Kerberos delegation in your environment before you can use single sign-on. The delegation configures the gateway computer as trusted to delegate to the target node.

Please, see Kerberos Delegation: A Comprehensive Guide, How to configure a service account for Kerberos delegation, and how to Upgrade Windows Admin Center Manually.

Troubleshooting WinRM and Single Sign-on (SSO)

If Windows Admin Center is running on Windows Server, and you don’t have Kerberos delegation configured. You must re-enter your Windows credentials. Else, you have to configure Kerberos delegation.

When you enable WinRM over HTTPS in Windows Admin Center (WAC). The remote machine you want to manage must have an SSL/TLS certificate installed. To use the image below, ensure you did not run WinRM over HTTPs if you do not have a certificate installed as shown in the image below.

Since WinRM is enabled on Windows Server by default, you should generally not have issues with WinRm over HTTP which can be enabled during the installation for Windows Admin Center (WAC).

The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service:

If you do not want to use SSO by enabling Kerberos Delegation. You can choose to use another account for this connection as shown below. Please, see this article on how to add connections to Windows Admin Center.

Select “use my windows account for this connection”, the connection will fail as SSO is not configured. When SSO is configured correctly, you will not even have to select this option before connecting to a server. Click on the server itself from the WAC will initiate an automatic connection to the server.

Here are some relevant articles on this topic: How to enable or disable WinRM via the command-line, and how to enable WinRM on Windows Servers and Windows PCs

Part A: Verify WinRM is working Correctly

The below error “WinRM” cannot complete the operation” will be promoted as well when adding an individual server. if you do no have the certificate on the node administered remotely, please modify WAC to use WinRM over HTTP.

Also, ensure that the service is runing correctly.

Alternatively, you could verify that the WinRM is running over the command line. As mentioned above, this is enabled automatically on Windows Server.

winrm quickconfig

As you can see below, we have been able to determine that everything is fine working with WinRM as shown in the image below. You can check if the listener is not configured correctly by using the command below.

winrm enumerate winrm/config/listener

For the Default WinRM over HTTP, the firewall is enabled by default. For WinRM over HTTPs, you will need to enable the firewall rule with the command below is any is blocked.

• For HTTP: TCP 5985
• For HTTPS: TCP 5986

Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
Enable-NetFirewallRule -Name "WINRM-HTTPS-In-TCP"

If WinRM listener is missing, create one with the command below.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname='server.domain.com'; CertificateThumbprint='THUMBPRINT'}"

Please see “how to Enable and Configuring WinRM via GPO“, and how to fix “WinRM cannot complete the operation, verify that the specified computer name is valid“.

Part B: Enable Kerberos Delegation (KDC) for WAC

Note: There are different scripts to enable constrained delegation for Windows Admin Center (WAC) for SSO. Because this is not the official step to configure WAC, I will not be sharing it.

To configure constrained delegation, please use the PowerShell command below.

Set-ADComputer -Identity (Get-ADComputer node01) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer wac)

Note: As many online sources claim, you must not enable the constrained delegation on the WAC server only. You can do this on any server that has the RSAT installed.

As you can see in the image below, there are no RSAT tools available.

Therefore, proceed to install Active Directory Module as shown below in order to be able to configure SSO for WAC.

When you take a look at the Events under Setup. You will see “Selectable update ActiveDirectory-PowerShell of package ActiveDirectory-PowerShell-Package was successfully turned on”.

You can purge your Kerberos ticket to test authentication as well.

Testing WinRM, before blaming WAC for SSO issues. We can test whether Kerberos delegation works directly. If this fails, the issue is WinRM/SPN/delegation, not WAC itself.

Test-WSMan TargetServerFQDN -Authentication Kerberos

As you can see, it passed. Therefore there are group polices preventing the SSO.

To enable WinRM on Windows 10/11, please run the following command on the PC.

Enable-PSRemoting -Force

Verify TLS or Self-Signed Certificate Permission for Windows Admin Center

Alternatively if the above steps still have not worked and the group policies are not the culprit then you should follow the steps below.

Even when you enter your credentials, this will also not work.

Let’s test basic connectivity from your client machine. As you can see below, the connection is working correctly.

Test-NetConnection FQDN -Port 5985

Test-WSMan FQDN

Now, I will proceed to verify the certificate permission used in installing WAC. Before this, the PowerShell command Get-ChildItem Cert:\LocalMachine\My lists all certificates stored in the Local Computer’s Personal (My) certificate store, showing details like the subject name, thumbprint, and expiration date.

Get-Children Cert:LocalMachineMy

You can use the following command as well to command below to launch the Microsoft Management Console (MMC). The certlm.msc is the MMC snap-in used to manage local computer certificates, including personal, trusted root, and intermediate certification authorities on Windows systems

certlm

Now, verify that the Network Service has the following permission.

Once again, verify that the Kerberos delegation has been configured correctly by using this command.

Get-ADComputer "ManagedNodeFQDN" -Properties PrincipalsAllowedToDelegateToAccount

Now that all these have been verified, you have to take a further look at the hardening of your domain by reviewing the group policies configured. This is what is preventing the SSO. As you can see, this has been configured and working correctly as referenced in the first paragraph above in an environment with moderate security (hardening).

Please, see how to configure WinRM to accept connection from a specific IP Address, and how to Download and update Synology DiskStation NAS to DSM 7.3.

FAQs

I hope you found this article very useful on troubleshooting WinRM and Kerberos Delegation for WAC. Please, feel to leave a comment below.