Adding a PowerShell host using Kerberos fails with the error: "send message on http://<PS_Host>:5985/wsman error , document in ..."
search cancel

Adding a PowerShell host using Kerberos fails with the error: "send message on http://<PS_Host>:5985/wsman error , document in ..."

book

Article ID: 340383

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Symptoms:

  • Cannot add a PowerShell Host in Aria Automation Orchestrator (formerly known as vCenter Orchestrator / vRealize Orchestrator).
  • Adding a PowerShell Host in Orchestrator fails.
  • You see the following error in the Add a PowerShell host workflow output:
    send message on http://<PowerShell_Host>:5985/wsman error, document in   [...]

Environment

VMware Aria Automation Orchestrator 8.x

Cause

This issue occurs when you configure Windows Remote Management (WinRM) with HTTP but do not set the AllowUnencrypted to True for Client and Service.

It can also indicate a network / DNS issue in connecting to the host

Resolution

First, ensure that the network requirements are in place for this PowerShell host:

  • DNS record must be correct for the hostname contacted
  • Ensure the port 5985 / 5986 is open from Orchestrator to the PowerShell host
  • Ensure the PowerShell host is powered on and responding
  • Ensure that HTTP or HTTPS traffic is permitted for this connection, as appropriate

 

Workaround:

To change the configuration of WinRM to allow encrypted traffic:

 

  1. Run this command to set the default WinRM configuration values.

    c:\> winrm quickconfig

  2. You can run this optional command to check whether a listener is running and verify the default ports:

    c:\> winrm e winrm/config/listener

    Note: The default ports are 5985 for HTTP and 5986 for HTTPS.

  3. Enable basic authentication on the WinRM service:

    1. Run this command to check whether basic authentication is allowed:

      c:\> winrm get winrm/config

    2. Run this command to enable basic authentication:

      c:\> winrm set winrm/config/service/auth '@{Basic="true"}'

  4. Run this command to allow transfer of unencrypted data on the WinRM service:

    c:\> winrm set winrm/config/service '@{AllowUnencrypted="true"}'

  5. Enable basic authentication on the WinRM client:

    1. Run this command to check whether basic authentication is allowed:

      c:\> winrm get winrm/config

    2. Run the following command to enable basic authentication:

      c:\> winrm set winrm/config/client/auth '@{Basic="true"}'

  6. Run this command to allow transfer of unencrypted data on the WinRM client:

    c:\> winrm set winrm/config/client '@{AllowUnencrypted="true"}'

  7. If the WinRM host machine is in an external domain, run this command to specify the trusted
    hosts:

    c:\> winrm set winrm/config/client '@{TrustedHosts="host1, host2, host3"}'

  8. Run this command to test the connection to the WinRM service:

    c:\> winrm identify -r:http://winrm_server:5985 -auth:basic -u:user_name -p:password -
    encoding:utf-8
Note: For more information to resolve this using HTTPS authentication, see Configuring WinRM

 

Additional Information

Powered by Wolken Software