invoke-command doesn't seem to work - Did I use winrm.cmd to configure TrustedHosts correctly?

Question

I am not sure if I used winrmcmd to configure TrustedHosts correctly

I am running commands in PowerShell from host_computer (part of workgroup)

$cred = Get-Credential -credential user

Prompt appears, and I enter in password

Then I execute a command so setup.exe will execute on remote_computer (also part of workgroup)

invoke-command -ComputerName remote_computer -credential $cred -scriptBlock {& 'C:\share\setup.exe'}

Error appears:

[remote_computer] Connecting to remote server remote_computer failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client 
computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the 
TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (remote_computer:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken

I follow steps according to http://pubs.vmware.com/orchestrator-plugins/index.jsp#com.vmware.using.powershell.plugin.doc_10/GUID-D4ACA4EF-D018-448A-866A-DECDDA5CC3C1.html

On host_computer I open command prompt (shift, right-click, select "run as administrator") and execute the following

C:\Windows\system32>winrm quickconfig

C:\Windows\system32>winrm e winrm/config/listener

C:\Windows\system32>winrm get winrm/config

C:\Windows\system32>winrm set winrm/config/service/auth @{Basic="true"}

C:\Windows\system32>winrm set winrm/config/service @{AllowUnencrypted="true"}

C:\Windows\system32>winrm set winrm/config/client @{TrustedHosts="remote_computer"}

On remote_computer I open command prompt (shift, right-click, select "run as administrator") and execute the following

C:\Windows\system32>winrm get winrm/config

C:\Windows\system32>winrm set winrm/config/client/auth @{Basic="true"}

C:\Windows\system32>winrm set winrm/config/client @{AllowUnencrypted="true"}

C:\Windows\system32>winrm set winrm/config/client @{TrustedHosts="host_computer"}

C:\Windows\system32>winrm identify -r:http://host_computer:5985 -auth:basic -u:user -p:password -encoding:utf-8

And I get the following response

IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 6.3.9600 SP: 0.0 Stack: 3.0
    SecurityProfiles
        SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprof
ile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spneg
o-kerberos

Now when I go to host_computer and execute

invoke-command -ComputerName remote_computer -credential $cred -scriptBlock {& 'C:\share\setup.exe'}

I no longer get any error messages, but when I remote into remote_host, I don't see setup.exe in the Task Manager. It's been more than half an hour, and I cannot find any evidence that the file executed.

How to troubleshoot?

Answer 1

After adding TrustedHosts using wmirm.cmd (see OP), the following command works

invoke-command -ComputerName remote_Computer -credential $cred -scriptBlock {cmd /c 'C:\share\setup.exe'}

Answer 2

I know that this is an old question but it might help people who didn't find any answer. So, WinRM is something like SOAP web based Web API and when you want to work with this API in non AD environment you may face different security related problems. The first thing you should be aware about, is that you have to configure not only the server side but the client side too!

If, for example, you configure a remote machine to do not use HTTPS and add administrator's machine to the trusted hosts you have also to execute on administrator's machine (from which session is initiated):

Set-Item wsman:\localhost\client\trustedhosts <target machine> 

to add destination (target) machine to the trusted list.

You can easily see that if the error is like the following: "The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts " it tells you about client side problem ("WinRM client cannot process"). Also, in a situation like this, you will not see any TCP/HTTP WinRM related traffic between machines as a client doesn't start interaction and throws the error.

Answer 3

Along with disabling the firewalls on both the machineA and machineB, and executing winrm set winrm/config/client @{TrustedHosts="machineB"} on machine A, I could then call Invoke-Command -FilePath c:\scripts\test.ps1 -ComputerName machineB

this link was also helpful http://pubs.vmware.com/orchestrator-plugins/index.jsp?topic=%2Fcom.vmware.using.powershell.plugin.doc_10%2FGUID-D4ACA4EF-D018-448A-866A-DECDDA5CC3C1.html