Forum Discussion
WinRM https and Clusters
Hello,
How do people add clusters to windows admin center with winrm https enabled? Seems like if I used the FQDN of the cluster on the certificate it works but then I cannot connect to the servers themselves.
Hi,
I don't use the Windows Admin Center, so I'm coming from a position of ignorance here, but I'm comfortable with WinRM and certificates.
If you're getting an error message or number, drop it in here so we know what we're dealing with.
But for the sake of offering some initial guesses:
- Perhaps WinRM has been configured to listen on the explicit cluster resource IPv4/IPv6 address rather than the default of all addresses;
- You could be running into certificate subject (i.e. subject name or subject alternative name) issues, since WinRM by default expects name compliance.
You can check if the first point is an issue by running the following via PowerShell on each host (I've assumed the default WinRM TLS port is being used):
Get-NetTCPConnection -LocalPort 5986For the second, there's multiple ways you can check the certificate, so I'll leave it up to you to choose one, but you'd want to see either:
- The cluster host's DNS name plus the DNS names for each of the members in the SAN; - or -
- A wildcard specification in the subject or SAN.
On point 2, if you have more than one eligible certificate, you may need to double-check which one ended up being bound, which you can do so using the following command to pull the thumbprint (assumes you're either on the host or checking remotely via Invoke-Command):
(Get-ChildItem -Path WSMan:\localhost\Service\CertificateThumbprint).ValueAnyhow, if you have any specific errors you can drop in here, that'd help a lot in getting us to focus on the right area(s).
Cheers,
Lain
Hi,
I don't use the Windows Admin Center, so I'm coming from a position of ignorance here, but I'm comfortable with WinRM and certificates.
If you're getting an error message or number, drop it in here so we know what we're dealing with.
But for the sake of offering some initial guesses:
- Perhaps WinRM has been configured to listen on the explicit cluster resource IPv4/IPv6 address rather than the default of all addresses;
- You could be running into certificate subject (i.e. subject name or subject alternative name) issues, since WinRM by default expects name compliance.
You can check if the first point is an issue by running the following via PowerShell on each host (I've assumed the default WinRM TLS port is being used):
Get-NetTCPConnection -LocalPort 5986For the second, there's multiple ways you can check the certificate, so I'll leave it up to you to choose one, but you'd want to see either:
- The cluster host's DNS name plus the DNS names for each of the members in the SAN; - or -
- A wildcard specification in the subject or SAN.
On point 2, if you have more than one eligible certificate, you may need to double-check which one ended up being bound, which you can do so using the following command to pull the thumbprint (assumes you're either on the host or checking remotely via Invoke-Command):
(Get-ChildItem -Path WSMan:\localhost\Service\CertificateThumbprint).ValueAnyhow, if you have any specific errors you can drop in here, that'd help a lot in getting us to focus on the right area(s).
Cheers,
Lain
- Ah I bet it's the Certificate I just need to add to the SAN. I deal with certificates all the time I can't believe I forgot about that ha. Thank you for the reminder.
