Select the product you need help with

How to restore the Windows Remote Management settings when all authentication schemes are disabled on a computer that is running Windows Server 2008 R2

Article ID: 978319 - View products that this article applies to.

INTRODUCTION

This article introduces how to restore Windows Remote Management settings when all authentication methods are disabled in Windows Server 2008 R2.

In Windows Remote Management 2.0, all operations are handled as if they come from a remote computer. Therefore, the requests that use a destination of "localhost" require that the Windows Remote Management service is running and that the correct authentication methods are enabled.

Specifically, Windows Remote Management lets you configure which authentication schemes are allowed on both the client-side and on the server-side. These settings are as follows:

C:\Windows\system32>winrm get winrm/config/client/auth
Auth
    Basic = true
    Digest = true
    Kerberos = true
    Negotiate = true
    Certificate = true
    CredSSP = false

C:\Windows\system32>winrm get winrm/config/service/auth
Auth
    Basic = false
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = None [Source="GPO"]

Note The first example displays the authentication schemes that are allowed on the client-side, and the second example does the same on the server-side.

There are two possible situations where a user can effectively make Windows Remote Management inaccessible:

If the user disables all authentication schemes for the service, the service no longer accepts requests from any client. In this situation, a Windows Remote Management operation cannot pass through the locked service. Therefore, the configuration settings cannot be changed.
If the user disables all authentication schemes for the client, the client can no longer connect to any Windows Remote Management endpoint. In this situation, Windows Remote Management cannot connect to the local endpoint. Therefore, you cannot change the client-side settings.

Windows Remote Management supports an invoke restore operation that sets back the configuration to the default settings. However, this operation has to use the service. Therefore, this operation is useless in the situations that were mentioned earlier.

If one of these situations occurs, the following can be done to restore Windows Remote Management to a usable state.

The user changes the relevant Group Policy settings to enable at least one authentication mechanism. The user can then run a winrm command in order to enable all the necessary authentication mechanisms in both the client-specific and in the service-specific configuration settings. Then the user reverts the Group Policy settings back to their original state.

The relevant Group Policy settings can be found in the following location:Administrative Templates > Windows Components > Windows Remote Management (WinRM)
The following are the relevant policies:

WinRM Client > Allow Basic authentication
WinRM Client > Allow CredSSP authentication
WinRM Client > Disallow Digest authentication
WinRM Client > Disallow Kerberos authentication
WinRM Client > Disallow Negotiate authentication

WinRM Service > Allow Basic authentication
WinRM Service > Allow CredSSP authentication
WinRM Service > Disallow Kerberos authentication
WinRM Service > Disallow Negotiate authentication

The following command examples enable particular authentication schemes on either the Windows Remote Management client or on the Windows Remote Management service: winrm set winrm/config/client/Auth @{Basic="true"}
winrm set winrm/config/service/Auth @{Basic="true"}

Note These command examples enable Basic authentication.