Y
Yoan S
Full disclaimer, I also posted the same question on ServerFault:
Windows Server 2016 and Windows 10: Cannot set up Windows Event Forwarding via HTTPS
Alright so I've been trying to set up Windows Event Forwarding via HTTPS for a while now and in the process, I've hit my share of errors that I managed to address one by one, but now I've been stuck on one that I can't seem to fix.
Also, I want to say that via HTTP, everything works fine. But if I try to use HTTPS instead of HTTP, the source computer cannot connect to the collector.
Guide I've been following (in addition to following instructions from other sources):
https://docs.microsoft.com/en-us/windows/desktop/wec/setting-up-a-source-initiated-subscription
Seems like I'm having the same kind of issues as this user:
https://superuser.com/questions/1403366/winrm-https-destination-computer-returned-an-access-denied-error
Setup:
For the sake of simplicity, let's call them WS2016 and WIN10. No objections? Good.
So on WIN10, the following GPO is set:
Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\Configure target Subscription Manager
And this is the value I'm using:
SERVER=HTTPS://WS2016.example.domain.com:5...anager/WEC,Refresh=60,IssuerCA=$CA_THUMBPRINT
Technically, I don't even need to add the IssuerCA part, since both systems are on the same domain, but even without, I get the error.
Now, once the subscription is configured on the source computer (WIN10), it tries to connect to the WEC (WS2016), but fails and this error is logged in the Event Viewer, under the Eventlog-ForwardingPlugin\Operational log.
The forwarder is having a problem communicating with subscription manager at address https://WS2016.example.domain.com:5986/wsman/SubscriptionManager/WEC. Error code is 5 and Error Message is
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="WIN10.example.domain.com"><f:Message>WinRM client cannot process the request. The destination computer (WS2016.example.domain.com:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Negotiate Kerberos </f:Message></f:WSManFault>.
And if I check in the Windows Remote Management\Operational logs, I can see these errors:
EventID 164: The destination computer (WS2016.example.domain.com) returned an 'access denied' error. Verify your credentials are correct.
EventID 142: WSMan operation Enumeration failed, error code 5
I'm basically at the end of my rope here. I tried a lot of stuff and nothing works.
Continue reading...
Windows Server 2016 and Windows 10: Cannot set up Windows Event Forwarding via HTTPS
Alright so I've been trying to set up Windows Event Forwarding via HTTPS for a while now and in the process, I've hit my share of errors that I managed to address one by one, but now I've been stuck on one that I can't seem to fix.
Also, I want to say that via HTTP, everything works fine. But if I try to use HTTPS instead of HTTP, the source computer cannot connect to the collector.
Guide I've been following (in addition to following instructions from other sources):
https://docs.microsoft.com/en-us/windows/desktop/wec/setting-up-a-source-initiated-subscription
Seems like I'm having the same kind of issues as this user:
https://superuser.com/questions/1403366/winrm-https-destination-computer-returned-an-access-denied-error
Setup:
- Windows Server 2016 acting as a Windows Event Collector, via Source Initiated subscription
- Windows 10 Enterprise, using a Windows Event Forwarding subscription that uses HTTPS
- Both are on the same domain, let's say domain.example.com
For the sake of simplicity, let's call them WS2016 and WIN10. No objections? Good.
So on WIN10, the following GPO is set:
Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\Configure target Subscription Manager
And this is the value I'm using:
SERVER=HTTPS://WS2016.example.domain.com:5...anager/WEC,Refresh=60,IssuerCA=$CA_THUMBPRINT
Technically, I don't even need to add the IssuerCA part, since both systems are on the same domain, but even without, I get the error.
Now, once the subscription is configured on the source computer (WIN10), it tries to connect to the WEC (WS2016), but fails and this error is logged in the Event Viewer, under the Eventlog-ForwardingPlugin\Operational log.
The forwarder is having a problem communicating with subscription manager at address https://WS2016.example.domain.com:5986/wsman/SubscriptionManager/WEC. Error code is 5 and Error Message is
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="WIN10.example.domain.com"><f:Message>WinRM client cannot process the request. The destination computer (WS2016.example.domain.com:5986) returned an 'access denied'
error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify
that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms
reported by server: Negotiate Kerberos </f:Message></f:WSManFault>.
And if I check in the Windows Remote Management\Operational logs, I can see these errors:
EventID 164: The destination computer (WS2016.example.domain.com) returned an 'access denied' error. Verify your credentials are correct.
EventID 142: WSMan operation Enumeration failed, error code 5
I'm basically at the end of my rope here. I tried a lot of stuff and nothing works.
Continue reading...