PowerShell remoting and certificates

Trying to use PowerShell remoting to connect to a server and I see:


[servername] Connecting to remote server failed with the following error message
: The WinRM client received an HTTP server error status (500), but the remote
service did not include any other information about the cause of the failure. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:Re
moteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed

Mysterious. Checking the event logs on the remote machine reveals:


A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

So it’s trying to read from a certificate and failing. The certificate in question is stored under:


C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

(Found by searching for the above error message).

It looks like the certificates have rolled over, so the old certificate which winrm has a reference to is no longer valid. I’m not actually even making use of certificate-based authentication so the easiest solution is to remove the CertificateThumbprint parameter from winrm configuration:


winrm set winrm/config/service @{CertificateThumbprint=""}

Make sure you don’t try running that from a PowerShell prompt though, as it’ll complain about it being an invalid command line even when it isn’t (since the @{} syntax is interpreted by PowerShell)…

And the working winrm configuration:


C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys>winrm get winrm/config
Config
MaxEnvelopeSizekb = 800
MaxTimeoutms = 600000
MaxBatchItems = 20
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL =
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 200
EnumerationTimeoutms = 600000
MaxConnections = 15
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = true
EnableCompatibilityHttpsListener = false
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5

This does I think mean that HTTPS transport for Winrm/remoting is disabled, but that’s not important in my environment. A better fix would be to switch it to use the most recent machine certificate, or even better to use a certificate created for this exact purpose (and then update it when it expires…)