Project Honolulu Non-Domain Joined Scenario

%3CLINGO-SUB%20id%3D%22lingo-sub-179655%22%20slang%3D%22en-US%22%3EProject%20Honolulu%20Non-Domain%20Joined%20Scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179655%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Project%20Honolulu%20Team%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ei'm%20using%20Project%20Honolulu%20in%20a%20Scenario%20with%20Non-Domain%20Joined%20Windows%20Server%202016%20Servers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHonolulu%201802%20is%20installed%20on%20a%20non-Domain%20joined%20Windows%20Server%202016%20as%20a%20Service.%26nbsp%3BLocalAccountTokenFilterPolicy%20is%20set%20to%20%220%22%20(Honolulu%20Server%20Gateway%2FManaged%20Systems).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20using%20Server%20Certificates%20provided%20from%20my%20own%20PKI%20(using%20already%20for%20Remote-Powershell)%2C%20so%20no%20Manual%20TrustedHosts%20List%20is%20needed%20to%20set.%20PowerShell-Remoting%20is%20working%20fine%20for%20my%20Servers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EActually%20it%20is%20only%20possible%20to%20Login%20to%20Honolulu%20Website%20(Chrome)%20as%20local%20Administrator%20Built-In%20Account%20(RID%20500%2C%20renamed).%20If%20i%20try%20to%20manage%20a%20W2K16%20Machine%20by%20also%20using%20the%20Built-In%20Admin%20(Managing%20as%20in%20Honolulu%2C%20because%20Password%20is%20not%20identical)%20the%20following%20error%20occurs%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%20The%20WinRM%20client%20cannot%20process%20the%20request.%20If%20the%20authentication%20scheme%20is%20different%20from%20Kerberos%2C%20or%20if%20the%20client%20computer%20is%20not%20joined%20to%20a%20domain%2C%20then%20HTTPS%20transport%20must%20be%20used%20or%20the%20destination%20machine%20must%20be%20added%20to%20the%20TrustedHosts%20configuration%20setting.%20Use%20winrm.cmd%20to%20configure%20TrustedHosts.%20Note%20that%20computers%20in%20the%20TrustedHosts%20list%20might%20not%20be%20authenticated.%20You%20can%20get%20more%20information%20about%20that%20by%20running%20the%20following%20command%3A%20winrm%20help%20config.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPowerShell-Remoting%20from%20Honolulu%20Management%20System%20to%20mentioned%20W2K16%20Server%20is%20working%20fine.%26nbsp%3BLocalAccountTokenFilterPolicy%20should%20not%20be%20a%20Problem%20because%20I'm%20using%20actually%20the%20RID%20500%20Account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20do%20I'm%20missing%20in%20this%20Scenario%3F%20Any%20ideas%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20and%20kind%20regards%3C%2FP%3E%0A%3CP%3EPeter%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183965%22%20slang%3D%22en-US%22%3ERe%3A%20Project%20Honolulu%20Non-Domain%20Joined%20Scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183965%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Peter%2C%20sorry%20for%20the%20late%20response.%20I%20see%20in%20your%20post%20that%20you%20are%20using%20v1802.%20Will%20you%20please%20see%20if%20this%20problem%20still%20occurs%20on%20the%20GA%20build%20of%20Windows%20Admin%20Center%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDownload%20the%20bits%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fwacdownload%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fwacdownload%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1477316%22%20slang%3D%22en-US%22%3ERe%3A%20Project%20Honolulu%20Non-Domain%20Joined%20Scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477316%22%20slang%3D%22en-US%22%3EI%20am%20using%20v1910.2%20and%20have%20the%20same%20problem.%20Domain%20servers%20are%20working%20fine%20with%20domain%20admins%20credential.%20I%20use%20local%20admin%20for%20non-domain%20servers%2C%20none%20of%20them%20work.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi Project Honolulu Team,

i'm using Project Honolulu in a Scenario with Non-Domain Joined Windows Server 2016 Servers.

 

Honolulu 1802 is installed on a non-Domain joined Windows Server 2016 as a Service. LocalAccountTokenFilterPolicy is set to "0" (Honolulu Server Gateway/Managed Systems).

 

I'm using Server Certificates provided from my own PKI (using already for Remote-Powershell), so no Manual TrustedHosts List is needed to set. PowerShell-Remoting is working fine for my Servers.

 

Actually it is only possible to Login to Honolulu Website (Chrome) as local Administrator Built-In Account (RID 500, renamed). If i try to manage a W2K16 Machine by also using the Built-In Admin (Managing as in Honolulu, because Password is not identical) the following error occurs:

 

The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.

 

PowerShell-Remoting from Honolulu Management System to mentioned W2K16 Server is working fine. LocalAccountTokenFilterPolicy should not be a Problem because I'm using actually the RID 500 Account.

 

What do I'm missing in this Scenario? Any ideas?

 

Thank you and kind regards

Peter

 

 

2 Replies
Highlighted

Hi Peter, sorry for the late response. I see in your post that you are using v1802. Will you please see if this problem still occurs on the GA build of Windows Admin Center?

 

Download the bits here: http://aka.ms/wacdownload

Highlighted
I am using v1910.2 and have the same problem. Domain servers are working fine with domain admins credential. I use local admin for non-domain servers, none of them work.