WAC opens but will not connect to any servers

%3CLINGO-SUB%20id%3D%22lingo-sub-1070942%22%20slang%3D%22en-US%22%3EWAC%20opens%20but%20will%20not%20connect%20to%20any%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070942%22%20slang%3D%22en-US%22%3E%3CP%3EI%20installed%20WAC%20into%20a%20Win2k19%20server%2C%20with%20all%20the%20defaults%20except%26nbsp%3BWinRM%20was%20set%20up%20as%20https%2C%20not%20the%20default.%20I%20can%20add%20servers%2C%20but%20not%20connect%20to%20any%20of%20them.%20All%20the%20servers%20I%20put%20in%20have%20PS%205.x%20and%20WinRM%20enabled.%3C%2FP%3E%3CP%3EI%20get%20the%20following%20not-so-helpful%20messages%3A%3C%2FP%3E%3CP%3ETo%20perform%20a%20single%20sign-in%20using%20your%20Windows%20account%2C%20you%20might%20need%20to%20set%20up%20Kerberos%20constrained%20delegation.%20--%20the%20above%20command%20is%20supposed%20to%20do%20this%2C%20admin%20center%20is%20logged%20in%20as%20essexarc%5Cadministrator%3CBR%20%2F%3EError%3CBR%20%2F%3EThe%20client%20cannot%20connect%20to%20the%20destination%20specified%20in%20the%20request.%20Verify%20that%20the%20service%20on%20the%20destination%20is%20running%20and%20is%20accepting%20requests.%20Consult%20the%20logs%20and%20documentation%20for%20the%20WS-Management%20service%20running%20on%20the%20destination%2C%20most%20commonly%20IIS%20or%20WinRM.%20If%20the%20destination%20is%20the%20WinRM%20service%2C%20run%20the%20following%20command%20on%20the%20destination%20to%20analyze%20and%20configure%20the%20WinRM%20service%3A%20%22winrm%20quickconfig%22.%3C%2FP%3E%3CP%3EI%20tried%20this%3A%3C%2FP%3E%3CP%3ESet-ADComputer%20-Identity%20(Get-ADComputer%20dc1)%20-PrincipalsAllowedToDelegateToAccount%20(Get-ADComputer%20ac1)%20where%20ac1%20is%20the%20WAC%20server%2C%20dc1%20is%20a%20server%20I%20want%20to%20manage.%3C%2FP%3E%3CP%3EHaven't%20found%20anything%20on%20the%20interwebs.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcry_40x40.gif%22%20alt%3D%22%3Acry%3A%22%20title%3D%22%3Acry%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EThank%20you%2C%20Tom%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521076%22%20slang%3D%22en-US%22%3ERe%3A%20WAC%20opens%20but%20will%20not%20connect%20to%20any%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F491947%22%20target%3D%22_blank%22%3E%40tlyczko2%3C%2FA%3EI'm%20facing%20the%20same.%3C%2FP%3E%3CP%3EHave%20several%20Servers%20from%202012%20R2%20to%202019%20I%20can%20handle%20with%20RSAT%20and%20Powershell%20but%20WAC%20fails%20with%20the%20very%20same%20things%20you%20describe.%20Did%20not%20found%20anything%20yet.%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-admin-center%2Fthe-client-cannot-connect-to-the-destination-specified-in-the%2Fm-p%2F1521063%23M1044%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-admin-center%2Fthe-client-cannot-connect-to-the-destination-specified-in-the%2Fm-p%2F1521063%23M1044%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1828894%22%20slang%3D%22en-US%22%3ERe%3A%20WAC%20opens%20but%20will%20not%20connect%20to%20any%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1828894%22%20slang%3D%22en-US%22%3E%3CP%3EI%20discovered%20the%20problem.%20It%20is%20a%20design%20flaw%20in%20Windows%20Admin%20Center.%20Here%20is%20a%20User%20Voice%20ticket%20that%20describes%20the%20problem%20and%20work-around.%3C%2FP%3E%3CP%3ESimply%20put%2C%20I'm%20giving%20FQDN%20server%20identifiers%20to%20WAC%20on%20my%20domain-joined%20laptop.%20It%20confirms%20that%20the%20server%20exists%20and%20that%20I've%20provided%20the%20correct%20credentials.%20Then%20it%20stores%20the%20server%20connection%20using%20the%20hostname%20of%20the%20server%20instead%20of%20the%20FQDN.%20Unfortunately%2C%20the%20cloud-based%20servers%20I'm%20targeting%20are%20not%20on%20my%20own%20domain%20-%20or%20any%20domain%20at%20all.%20So%20the%20hostname%20does%20not%20resolve.%3C%2FP%3E%3CP%3EThe%20solution%20is%20for%20me%20to%20put%20the%20hostname%20into%20my%20HOSTS%20file%20with%20explicit%20IP%20addresses.%20Very%20obnoxious%2C%20since%20the%20cloud-servers%20have%20dynamic%20IP's!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1829672%22%20slang%3D%22en-US%22%3ERe%3A%20WAC%20opens%20but%20will%20not%20connect%20to%20any%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1829672%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F491947%22%20target%3D%22_blank%22%3E%40tlyczko2%3C%2FA%3E%26nbsp%3BThe%20PS%20line%20you%20mentioned%20is%20to%20enable%20constrained%20delegation%20or%20single%20sign%20on.%20My%20suggestion%20is%20to%20install%20WAC%20on%20your%20laptop%20and%20try%20to%20connect%20to%20a%20server%2C%20if%20you%20can't%20install%20locally%20spin%20lup%20a%20Win10%20VM%20and%20install%20it%20there.%20This%20will%20take%20credentials%20out%20of%20the%20issue%20so%20you%20can%20see%20what%20the%20connection%20issue%20actually%20is.%20If%20you%20can%20do%20enter-pssession%20to%20a%20target%20server%20then%20WAC%20should%20work%20as%20well.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I installed WAC into a Win2k19 server, with all the defaults except WinRM was set up as https, not the default. I can add servers, but not connect to any of them. All the servers I put in have PS 5.x and WinRM enabled.

I get the following not-so-helpful messages:

To perform a single sign-in using your Windows account, you might need to set up Kerberos constrained delegation. -- the above command is supposed to do this, admin center is logged in as essexarc\administrator
Error
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

I tried this:

Set-ADComputer -Identity (Get-ADComputer dc1) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer ac1) where ac1 is the WAC server, dc1 is a server I want to manage.

Haven't found anything on the interwebs. :cry:

Thank you, Tom

 

3 Replies

@tlyczko2I'm facing the same.

Have several Servers from 2012 R2 to 2019 I can handle with RSAT and Powershell but WAC fails with the very same things you describe. Did not found anything yet. :(

 

https://techcommunity.microsoft.com/t5/windows-admin-center/the-client-cannot-connect-to-the-destina...

 

 

I discovered the problem. It is a design flaw in Windows Admin Center. Here is a User Voice ticket that describes the problem and work-around.

Simply put, I'm giving FQDN server identifiers to WAC on my domain-joined laptop. It confirms that the server exists and that I've provided the correct credentials. Then it stores the server connection using the hostname of the server instead of the FQDN. Unfortunately, the cloud-based servers I'm targeting are not on my own domain - or any domain at all. So the hostname does not resolve.

The solution is for me to put the hostname into my HOSTS file with explicit IP addresses. Very obnoxious, since the cloud-servers have dynamic IP's!

@tlyczko2 The PS line you mentioned is to enable constrained delegation or single sign on. My suggestion is to install WAC on your laptop and try to connect to a server, if you can't install locally spin lup a Win10 VM and install it there. This will take credentials out of the issue so you can see what the connection issue actually is. If you can do enter-pssession to a target server then WAC should work as well.