How to restore the Windows Remote Management settings when all authentication schemes are disabled on a computer that is running Windows Server 2008 R2
Specifically, Windows Remote Management lets you configure which authentication schemes are allowed on both the client-side and on the server-side. These settings are as follows:
C:\Windows\system32>winrm get winrm/config/client/authAuth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false
C:\Windows\system32>winrm get winrm/config/service/authAuth Basic = false Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = None [Source="GPO"]Note The first example displays the authentication schemes that are allowed on the client-side, and the second example does the same on the server-side.
There are two possible situations where a user can effectively make Windows Remote Management inaccessible:
- If the user disables all authentication schemes for the service, the service no longer accepts requests from any client. In this situation, a Windows Remote Management operation cannot pass through the locked service. Therefore, the configuration settings cannot be changed.
- If the user disables all authentication schemes for the client, the client can no longer connect to any Windows Remote Management endpoint. In this situation, Windows Remote Management cannot connect to the local endpoint. Therefore, you cannot change the client-side settings.
If one of these situations occurs, the following can be done to restore Windows Remote Management to a usable state.
The user changes the relevant Group Policy settings to enable at least one authentication mechanism. The user can then run a winrm command in order to enable all the necessary authentication mechanisms in both the client-specific and in the service-specific configuration settings. Then the user reverts the Group Policy settings back to their original state.
The relevant Group Policy settings can be found in the following location:
WinRM Client > Allow Basic authenticationWinRM Client > Allow CredSSP authenticationWinRM Client > Disallow Digest authenticationWinRM Client > Disallow Kerberos authenticationWinRM Client > Disallow Negotiate authenticationWinRM Service > Allow Basic authenticationWinRM Service > Allow CredSSP authenticationWinRM Service > Disallow Kerberos authenticationWinRM Service > Disallow Negotiate authentication
The following command examples enable particular authentication schemes on either the Windows Remote Management client or on the Windows Remote Management service:
Article ID: 978319 - Last Review: 12/18/2009 02:01:37 - Revision: 1.1
- kbsurveynew kbexpertiseadvanced kbhowto KB978319