Difference between revisions of "Winrm https basic auth with pywinrm"
Jump to navigation
Jump to search
(Created page with "``` # Configure WinRM to use HTTPS and enable basic authentication Enable-PSRemoting -Force -SkipNetworkProfileCheck Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true...") |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | # WINRM Simple Example Using HTTPS/TLS & Basic Auth | ||
| + | - https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.4 | ||
| + | |||
| + | Note we are creating self signed certificate called localhost & ignoring TLS cert validation for simplicity in this example. You do not want to do this in production. Since we aren't using encrypted messaging via NTLM/Kerberos we want to make sure AllowUnencrypted is set to false so TLS/HTTPS transport is required | ||
| + | |||
| + | ## Simple setup | ||
| + | |||
| + | ### Create myuser and add to Administrators group | ||
| + | - https://stackoverflow.com/questions/38105486/winrm-the-specified-credentials-were-rejected-by-the-server | ||
| + | #### Create User | ||
| + | ``` | ||
| + | $Password = Read-Host -AsSecureString | ||
| + | $params = @{ | ||
| + | Name = 'myuser' | ||
| + | Password = $Password | ||
| + | FullName = 'Test User' | ||
| + | Description = 'Description of this account.' | ||
| + | } | ||
| + | New-LocalUser @params | ||
| + | ``` | ||
| + | #### Add myuser to Administrators group | ||
| + | ``` | ||
| + | Add-LocalGroupMember -Group "Administrators" -Member "myuser" | ||
| + | ``` | ||
| + | |||
| + | ### Enable PSRemoting | ||
| + | |||
| + | #### Delete existing listeners | ||
| + | ``` | ||
| + | winrm delete winrm/config/Listener?Address=*+Transport=HTTP | ||
| + | winrm delete winrm/config/Listener?Address=*+Transport=HTTPS | ||
| + | ``` | ||
| + | |||
| + | #### Enable HTTPS 5986 Listener | ||
``` | ``` | ||
# Configure WinRM to use HTTPS and enable basic authentication | # Configure WinRM to use HTTPS and enable basic authentication | ||
| Line 16: | Line 50: | ||
``` | ``` | ||
| + | |||
| + | ### Simple script to run hostname command via winrm https 5986 | ||
| + | ``` | ||
| + | #!/usr/bin/env python3 | ||
| + | import winrm | ||
| + | |||
| + | destination = 'https://10.x.x.x:5986' | ||
| + | username = 'myuser' | ||
| + | password = 'mysecret' | ||
| + | |||
| + | session = winrm.Session(destination, | ||
| + | auth=(username, password), | ||
| + | # transport='certificate', | ||
| + | transport='ssl', | ||
| + | server_cert_validation='ignore' | ||
| + | ) | ||
| + | |||
| + | result = session.run_ps('hostname') | ||
| + | print(result.std_out.decode()) | ||
| + | ``` | ||
| + | |||
| + | # Certificate might be something like but haven't got to work | ||
| + | ``` | ||
| + | cert_pem = 'host.crt' | ||
| + | cert_key_pem = 'host.key' | ||
| + | ``` | ||
| + | ``` | ||
| + | session = winrm.Session(destination, | ||
| + | auth=(username, password), | ||
| + | transport='certificate', | ||
| + | cert_pem=cert_pem, | ||
| + | cert_key_pem=cert_key_pem, | ||
| + | ``` | ||
| + | |||
| + | # Refs | ||
Latest revision as of 17:45, 14 February 2024
WINRM Simple Example Using HTTPS/TLS & Basic Auth
Note we are creating self signed certificate called localhost & ignoring TLS cert validation for simplicity in this example. You do not want to do this in production. Since we aren't using encrypted messaging via NTLM/Kerberos we want to make sure AllowUnencrypted is set to false so TLS/HTTPS transport is required
Simple setup
Create myuser and add to Administrators group
Create User
$Password = Read-Host -AsSecureString
$params = @{
Name = 'myuser'
Password = $Password
FullName = 'Test User'
Description = 'Description of this account.'
}
New-LocalUser @params
Add myuser to Administrators group
Add-LocalGroupMember -Group "Administrators" -Member "myuser"
Enable PSRemoting
Delete existing listeners
winrm delete winrm/config/Listener?Address=*+Transport=HTTP winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
Enable HTTPS 5986 Listener
# Configure WinRM to use HTTPS and enable basic authentication Enable-PSRemoting -Force -SkipNetworkProfileCheck Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $false # Create a self-signed certificate (replace with a valid certificate in production) $cert = New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation cert:\LocalMachine\My $thumbprint = $cert.Thumbprint # Configure WinRM listener to use HTTPS and the created certificate New-Item -Path WSMan:\localhost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint -Force # Restart WinRM service to apply changes Restart-Service WinRM
Simple script to run hostname command via winrm https 5986
#!/usr/bin/env python3
import winrm
destination = 'https://10.x.x.x:5986'
username = 'myuser'
password = 'mysecret'
session = winrm.Session(destination,
auth=(username, password),
# transport='certificate',
transport='ssl',
server_cert_validation='ignore'
)
result = session.run_ps('hostname')
print(result.std_out.decode())
Certificate might be something like but haven't got to work
cert_pem = 'host.crt' cert_key_pem = 'host.key'
session = winrm.Session(destination,
auth=(username, password),
transport='certificate',
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,