Troubleshooting Enable-PSRemoting Error 0x21c7/8647 / WSManQuickConfig SPN issue


Issue 1:
Error when trying to invoke a remote command through PowerShell. When attempting to run the command on a remote server, it returns the below:

” [Server] Connecting to remote server failed with the following error message : The WSMan client cannot process the request. Proxy is not supported under HTTP transport.  Change the transport to HTTPS and specify valid
 proxy information and try again. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException

    + FullyQualifiedErrorId : PSSessionStateBroken]”

Issue 2:
Checking if remote management was enabled on the server returns the below.

“Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or us
e HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.
At line:50 char:33
+             Set-WSManQuickConfig <<<<  -force
    + CategoryInfo          : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand”


Problem due to the server having winhttp proxy set. You can confirm this by running “netsh winhttp show proxy”. To resolve the issue, delete the record from the registry HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsConnections.

When running the SetSPN -A HTTP/<HostName> returned “Failed to assign SPN on account <OU Path> Error  0x21c7/8647″. This was due to a duplicate record holding the HTTP SPN record for the host. Delete the SPN record through SetSPN -D to resolve.

Leave a Reply

Your email address will not be published. Required fields are marked *