PowerShell Access is denied. PSRemotingTransportException + FullyQualifiedErrorId : PSSessionStateBroken

Question

I was trying to establish a remote connection to another system and execute some basic commands.

Below are the steps that I have done :

• Configured the remote machine to accept Shell commands - Enable-PSRemoting – Force
• Tested the configuration on remote machine - Test-WsMan COMPUTERNAME.
• Executed the following commands on the host machine :

1.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ } -credential USERNAME.

2.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ } -credential $Credentials.

3.Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { Get-ChildItem C:\ }

In all the cases, we were getting access denied error :

Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo   : OpenError: (:) [], PSRemotingTransportException 
+ FullyQualifiedErrorId : PSSessionStateBroken

Answer 1

WinRM relies on WS-Man which can bind to port 80 since it is a SOAP based protocol. If this happens, WinRM can be reset to default settings:

1. winrm d winrm/config/listener?address=*+transport=http

2. netsh http del iplisten ipaddress=127.0.0.1

3. rm -v wsman:\localhost\listener\listener*\ -fo -r

4. winrm invoke restore winrm/config

   5. set-pssessionconfiguration Microsoft.powershell -SecurityDescriptorSddl "O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;IU)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)"

   6. restart-service winrm

   7. winrm qc -q

It is not enough to just delete & re-add the listener. NT Authority\Network Service & Remote Management Users permissions must be configured properly to bind the listening port to the default route 0.0.0.0 instead of the loop back 127.0.0.1. After resetting WinRM, the proper settings can be verified a few ways.*

Netstat can verify the WinRM port was setup properly:

PS C:\> netstat -ano|sls 5985
        TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
        TCP    [::]:5985              [::]:0                 LISTENING       4

WS-Man provider can verify the WinRM port was setup properly:

PS C:\> ls wsman:\localhost\listener\listener_GUID\
Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   Address                                        *
System.String   Transport                                      HTTP
System.String   Port                                           5985

Netsh should also be blank:

PS C:\> netsh http show iplisten
IP addresses present in the IP listen list:
-------------------------------------------

Hope this saves someone the 12+ hours it took me to figure it all out!

Answer 2

From MSDN:

1. Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator.

2. The WinRM service is confi gured for manual startup by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the PowerShell prompt, you can verify that the WinRM service is running using the following command: get-service winrm The value of the Status property in the output should be “Running”.

3. To configure Windows PowerShell for remoting, type the following command: Enable-PSRemoting –force

In many cases, you will be able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type: winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}' Here, RemoteComputer should be the name of the remote computer, such as: winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}'

You should check if the winrm is running. Also add your remote hosts to the trusted hosts list (or your local machine).

Hope that helps.