How To: Configure WINRM for HTTP

     Configure HTTP Connection

      Use an HTTP connection type to connect WINRM-Server to Client 

     Follow these steps:

1. To use HTTP to connect to WinRM on the server side, enter the following command:

   
   winrm create winrm/config/listener?Address=*+Transport=HTTP
   

2. Enter the following command to test the WinRM connection:

   
   winrm identify -r:http://winrm_server:5985 -auth:kerberos -u:user_name -p:password -encoding:utf-8
   

   A section in the displayed response is as follows:

   
   IdentifyResponse
   
     ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
   
     ProductVendor = Microsoft Corporation
   
     ProductVersion = OS: 6.1.7600 SP: 0.0 Stack: 2.0
   

How To: Configure WINRM for HTTPS

 Configure WINRM for HTTPS

WinRM uses the HTTPS connection type on the Hyper-V server when you use SSL to connect to the server. The default HTTPS port is 5986.

Follow these steps:

1.    Generate a self-signed certificate for the remote host.

a.    In Server Manager, navigate to Roles, Web Server (IIS), Internet Information Services, and select the name of the server for which you want to generate the certificate.

b.    In IIS, open Server Certificates.

c.     In Actions, click Self-Signed Certificate.

d.    Define a certificate name, and then click OK.
The certificate appears in Server Certificates list.

e.    (Optional) Verify that the certificate exists in the correct certificate store.

§  Navigate to Start, Run, and execute the following command:

certmgr.msc

§  Navigate to Trusted Root Certificate Authorities, Certificates.
Verify that the latest certificate appears in the list.

2.    Enter the following command to find the thumbprint of the certificate for the remote host:

Get-childItem cert:\LocalMachine\Root\ | Select-String -pattern <HOSTNAME>

3.    Enter the following command to create an HTTPS WinRM listener for the remote host (xendesktop server) with the thumbprint from the previous step:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<CN>"; CertificateThumbprint="<THUMBPRINT>"}

4.    Export the certificate.

Note: CA recommends that you export certificates to removable media, such as a floppy disk or USB flash drive.

a.    Click the Windows Start button.

b.    Enter certmgr.msc in the Search field.

c.     Enter administrator credentials, if prompted.
The Certificate Manager opens.

d.    Right-click the certificate that you want to export, choose All Tasks, then click Export.

e.    Click Next in the Certificate Export Wizard.

f.     Click No, do not export the private key and then click Next.

g.    Select the Base64 encoded X.509 format, then click Next.
The export process creates a file to store the certificate.

h.    Specify a name and location for the certificate file.

i.      Click Finish.

5.    Create a keystore file to connect client side (configuration). This procedure explains the usage of Java keytool to generate the keystore. The keystore can be generated from a machine where JRE is installed and available in %PATH%.

a.    Enter the following command:

Keytool -importcert -file “<CERTIFICATE>” -keystore “<KEYSTORE>.jks”

For CERTIFICATE, enter the file name of the certificate exported in the previous step.
For KEYSTORE, enter a name for the keystore in the format <path\name>.jks.
For example:

keytool -importcert -file "C:\Test1.cer" -keystore "C:\test.jks”

b.    Enter a password when prompted.

c.     Enter Yes when prompted to trust the certificate.
The keystore is available in the path specified.

6.    Copy the keystore file to the client  machine where the you want to make connection.

7.    In the App configuration GUI, edit or create the profile that represents the  server:

a.    Click the Use SSL check box and set the Port as 5986.

b     Enter the appropriate information in the Keystore Location and Keystore Password fields.

c.    Click OK.