Automic_Community_5543

Execute Remote Commands using WinRM

Discussion created by Automic_Community_5543 on Dec 18, 2017

This plugin enables the CA Automic platform to perform actions on a remote server in an agentless fashion.

 

The action pack is made of a single action based on WinRM and PowerShell which gives you the ability to execute multiple commands remotely. This action will be executed on a Windows server (the client) that has access over the network to the remote managed server(s).

 

However there are few prerequisites around the Windows security when doing WinRM actions.

 

First of all ensure WinRM has been configured and the Windows Remote Management (WS-Management) service is running on the client server as well as all remote servers.

An easy way to quickly configure WinRM is using the command "winrm quickconfig"

 

The action also supports multi-hop feature where the delegation of user credentials is required.

In this case the action uses the Credential Security Service Provider (CredSSP) for authentication and delegation.

To do so you need to enforce the Windows policies (gpedit.msc) as per below.

 

On the client server verify the following items :

  • Launch gpedit.msc
  • Go to 'Computer Configuration / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Client'
    • Enable 'Allow CredSSP authentication'
  • Go to 'Computer Configuration / Administrative Templates / System / Credentials Delegation'
    • Enable 'Allow Delegating Fresh Credentials' and add wsman/<SERVER_NAME> to the servers list (or wsman/* for all servers)
    • Only if Kerberos is deactivated between the client and the remote server - Enable 'Allow Delegating Fresh Credentials with NTLM-only Server Authentication' and add wsman/<SERVER_NAME> to the servers list (or wsman/* for all servers)

 

On the remote server(s) :

  • Launch gpedit.msc
  • Go to 'Computer Configuration / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service'
    • Enable 'Allow CredSSP authentication'

 

Further details can be found at the following URL :

https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx

 

 


See Plugin

Outcomes