topic Re: WinRM-HTTP Connection Refused in General Topics

WinRM-HTTP Connection Refused

echahine — Tue, 02 Nov 2021 09:14:32 GMT

Hello,

I'm using agentless user-id with a Windows Server 2012 AD through WMI, we recently updated the server, and it started throwing Authentication Error 10036 flooding our Windows logs. We've searched and troubleshooted the problem for a long time and nothing worked, the only workaround that we think might work is to change the authentication protocol from WMI to WinRM-HTTP. (We cannot roll back the update for vulnerability requirements)

We used this guide https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-server-monitoring-using-winrm.html to set up the configuration, and once we committed we're getting "Connection Refused(0)". The user-id logs are not specifying the error, just a "connection failed, error=0"

Likewise, we also troubleshooted everything, from the configs to the service account having the correct permissions as per Palo Alto's recommendation, and still.

Any ideas?

Re: WinRM-HTTP Connection Refused

Mick_Ball — Tue, 02 Nov 2021 18:39:37 GMT

I also changed from wmi to winrm and seems ok... have you tested your kerberos profile?

Re: WinRM-HTTP Connection Refused

echahine — Wed, 03 Nov 2021 09:00:40 GMT

Yes, and it was successful.

Re: WinRM-HTTP Connection Refused

M.Geinoz — Wed, 12 Jan 2022 10:46:19 GMT

Hello,

happy new year !

We have exactly the same issue...

Everything is configured by following Palo's instructions, but always "Connection refused (0)"

Any ideas?

@echahine have you solved on your side ?

Thank's

Re: WinRM-HTTP Connection Refused

echahine — Wed, 12 Jan 2022 11:30:51 GMT

Hello,

We weren't able to solve the issue using WinRM HTTP, we did however migrate from PAN-OS Integrated User-ID agent to Windows User-ID Agent which solved the Authentication Error 10036 isuue.

Re: WinRM-HTTP Connection Refused

M.Geinoz — Wed, 12 Jan 2022 15:39:27 GMT

Hi,
Thank you very much for the information, now it works with Windows User-ID Agent !
Why do Palo make PAN-OS Integrated User-ID agent available if it doesn't work ...
Have a nice day

Re: WinRM-HTTP Connection Refused

echahine — Wed, 12 Jan 2022 16:03:12 GMT

It's actually a Windows hardening issue. But you're right Palo Alto should be compatible with these hardenings already since it's an old recurring issue.

Glad to help!

Re: WinRM-HTTP Connection Refused

EnricRipoll — Mon, 22 Aug 2022 10:53:35 GMT

Hello,

You'll need a policy rule from the management IP to the domain servers, remember that it does not use the default port, so you must define "any" in "service/url category".

bye,

Re: WinRM-HTTP Connection Refused

stambe — Mon, 21 Aug 2023 20:28:47 GMT

Several of you have already gone through the winRM fixes under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client & HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Server fixes, the below settings in windows worked for me ( Panos 10.1.0 with win2k12 R2)

https://serverfault.com/questions/841689/changing-winrm-settings-from-script

Edit Group Policy.
Administrative Templates -> Windows Component -> Winodws Remote Management(WinRM) -> WinRM Client -> make all as not configured enter image description here
Administrative Templates -> Windows Component -> Winodws Remote Management(WinRM) -> WinRM Service-> make Allow Basic authentication as not configured enter image description here

-Open powershell and run # gpupdate /force

Attaching my environment settings screenshots.

This will work the magic!