Troubleshooting WinRM errors

Troubleshooting WinRM errors

This KB serves as a guide for troubleshooting errors when using the WinRM mode of data collection. First, ensure that all the following conditions are met:
  1. Refer to the below link and check if all the WinRM prerequisites have been completed properly 

  2. Run the following command in Admin Powershell on the target server to check the available listeners
winrm enumerate winrm/config/listener
  1. Ensure that the WinRM Protocol and port configurations are selected on the Add/Edit monitor page.
Given below are the possible errors and their solutions:

Error: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer.

Solution
  1. Verify if the entered hostname is correct.
  2. Check if the remote machine is accessible from the Applications Manager server via the WinRM ports. The default port for HTTP is 5985, and HTTPS is 5986.
  3. Inspect the remote machine to ensure that the Firewall rule is enabled for the specified ports. You can find the  listening ports by using the command 'winrm enumerate winrm/config/listener'.

Error: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests.

Solution:
  1. Verify if the WinRM service is running on the remote machine using Services.msc.
  2. Run the following command in PowerShell on the remote server to analyze and configure the WinRM service:
    winrm quickconfig

Error: Authentication failed. Kindly verify the username and password provided for the Host.

Solution:
  1. Verify if the entered UserName and Password are correct. Attempt to log into the remote server using the same credentials.

Error: WinRM firewall exception will not work since one of the network connection types on this machine is set to 'Public'. Change the network connection type to either 'Domain' or 'Private' and try again.

Solution:
  1. Verify if the WinRM listener is created on the remote machine by running the following command:
    winrm enumerate winrm/config/listener
  2. Check the firewall rule for the listener ports.

Error: The WS-Management service cannot process the request. The service cannot find the resource identified by the resource URI and selectors.

Solution:
  1. This error occurs when the WinRM listener is not listening on the specified port.
  2. Check if the WinRM listener is active on the designated port by using the command 'winrm e winrm/config/listener'. If it is not listening on the specified port, create a WinRM listener for that port.

Error: The WinRM client cannot process the request. Kerberos authentication cannot be used when the destination is an IP address.

Solution:
  1. This error occurs when an IP address is specified for Kerberos authentication.
  2. To resolve this error, provide the corresponding DNS for the given IP address as input. Additionally, ensure that the remote machine is in the same domain as the server machine to use Kerberos authentication.

Error: WinRM cannot process the request. Make sure your device is connected to your organization's network and try again.

Solution:
  1. This error typically occurs when the server and the remote machine are not in same domain. To resolve this issue, add the IP/DNS of the remote machine to the trusted host of the server, following the prerequisites for  NTLM authentication.

Error: The data source could not process the filter. The filter might be missing or invalid.

Solution:
  1. This error usually occurs due to an error in the WMI query, or the WMI class we are trying to access might not be available on the remote machine.
  2. For further troubleshooting on this error, please contact support and provide the logs.

Error: A specified logon session does not exist. It may already have been terminated.

(or)

Error: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting.

(or)

Error: The WinRM client cannot process the request. Default credentials with Negotiate over HTTP can be used only if the target machine is part of the TrustedHosts list or the 'Allow implicit credentials for Negotiate' option is specified.

Solution:
  1. To resolve this error, add the IP/DNS of the remote machine to the trusted host of the server by following the prerequisites: 
    1. If the IP address is used for monitoring, specify the IP address in the trusted hosts.
    2. If the hostname is used for monitoring, specify the hostname in the trusted hosts.

Error: The WinRM client cannot process the request. The connection string contains an unsupported transport.

Solution:
  1. This error occurs when the connection string contains an unsupported transport. 
  2. For further troubleshooting on this error, please contact support and provide the logs. 

Other Errors:

Steps to follow:
  1. Enable 'Print all logs' by navigating to Settings -> Logging -> Current log setting.
  2. Poll the reported monitor and wait for the polling to complete. Check the 'Last Polled at' time from the Monitor Information tab.
  3. Generate the latest Support Information File (SIF) from Applications Manager.
  4. Reach out to appmanager-support@manageengine.com along with the SIF, error screenshots, and prerequisites screenshots to troubleshoot the issue further.

                  New to ADSelfService Plus?