Topic
  • 7 replies
  • Latest Post - ‏2013-02-28T11:59:07Z by SystemAdmin
bjdboyer
bjdboyer
15 Posts

Pinned topic An error occurred when attempting to connect to the VM manager (Hyper-V)

‏2013-02-01T00:48:54Z |
OK. went through and configured WinRM on the system and created a local user that belongs to the Administrators group. Here is the WinRM configuration:

C:\Users\Administrator>winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.10.10.31, 127.0.0.1, 169.254.1.70, 169.254.21.172, 172.29.2
1.31, 192.168.50.21, 192.168.50.31, ::1, fe80::100:7f:fffe%17, fe80::5efe:10.10.
10.31%16, fe80::5efe:169.254.1.70%31, fe80::5efe:169.254.21.172%24, fe80::5efe:1
72.29.21.31%18, fe80::5efe:192.168.50.31%11, fe80::759e:3554:1ec9:e815%12, fe80:
:7d1c:5a5b:3fbe:9abe%27, fe80::c091:9c5d:e683:15ac%29, fe80::d123:8cf2:734e:dce8
%25, fe80::d90d:2599:f622:52c0%28
C:\Users\Administrator>winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-2838238183-85780008-2213
886030-1001)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 200
EnumerationTimeoutms = 600000
MaxConnections = 15
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
But when I try to register the VM http://tbhyper01:5985/wsman I just get a 'generic'
CODVM0005E
An error occurred when attempting to connect to the VM manager at the following address: http://tbhyper01:5985/wsman

I looked through the WIndows event logs and didn't see anything. Is there some other log file to tell me what the error might be??

Bill
Updated on 2013-02-28T11:59:07Z at 2013-02-28T11:59:07Z by SystemAdmin
  • bjdboyer
    bjdboyer
    15 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-01T01:36:22Z  
    Does Windows 2008R2 UAC come in to play? When I run winrm id as the local Administrator, it works. but if I logon as the user I created for ILMT I get:

    C:\Windows\system32>winrm id
    WSManFault
    Message = Access is denied.

    Error number: -2147024891 0x80070005
    Access is denied.
    I have another Windows2008R2 Hyper-V defined to ILMT and the secpol.msc User Access Control: Run all Administrators in admin approval mode is set to Disabled. This system responds correctly. On the system that fails this policy is set to Enabled.
  • bjdboyer
    bjdboyer
    15 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-01T01:50:44Z  
    If I logon as a domain admin and that the command line with Run as admin, then the winrm id works fine. if I just start the command line without admin priv. I get the access denied.

    I don't think this customer is going to let me turn off the UAC for the Hyper-V servers.... or any of their other systems. Is there a way around this?
  • bjdboyer
    bjdboyer
    15 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-01T01:58:34Z  
    Found this having to do with UAC::

    Starting with Windows Vista, User Account Control (UAC) affects access to the WinRM service. When Negotiate authentication is used in a workgroup, only the built-in Administrator account can access the service. To allow all accounts in the Administrators group to access the service, set the following registry key to 1:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
    I need to regedit add a key to the registry or change it?
  • bjdboyer
    bjdboyer
    15 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-01T02:06:55Z  
    And lastly this from a TPC manual about storage resource agents:

    Deployments on Windows 2008 - User Account Control (UAC) remote restrictions

    If you are planning to install Storage Resource agents remotely on a Windows 2008 system, you must disable the User Account Control (UAC) remote restrictions on the Windows system. User Account Control is a security component on Windows.

    Note: This task contains steps that tell you how to modify the registry. Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then you can restore the registry if problems occur. For information about how to back up and restore the registry, see http://support.microsoft.com/kb/322756/.

    To disable UAC remote restrictions, follow these steps:

    Click Start > Run. Enter regedit and click OK.
    Locate and click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Policies\System

    If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    On the Edit menu, click New > DWORD Value.
    Enter LocalAccountTokenFilterPolicy as the name for the DWORD value in the content pane. Click Enter.
    Right-click LocalAccountTokenFilterPolicy, then click Modify.
    In the Edit DWORD Value window, enter 1, then click OK.
    Exit the registry editor.
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-04T14:53:17Z  
    • bjdboyer
    • ‏2013-02-01T02:06:55Z
    And lastly this from a TPC manual about storage resource agents:

    Deployments on Windows 2008 - User Account Control (UAC) remote restrictions

    If you are planning to install Storage Resource agents remotely on a Windows 2008 system, you must disable the User Account Control (UAC) remote restrictions on the Windows system. User Account Control is a security component on Windows.

    Note: This task contains steps that tell you how to modify the registry. Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then you can restore the registry if problems occur. For information about how to back up and restore the registry, see http://support.microsoft.com/kb/322756/.

    To disable UAC remote restrictions, follow these steps:

    Click Start > Run. Enter regedit and click OK.
    Locate and click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Policies\System

    If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    On the Edit menu, click New > DWORD Value.
    Enter LocalAccountTokenFilterPolicy as the name for the DWORD value in the content pane. Click Enter.
    Right-click LocalAccountTokenFilterPolicy, then click Modify.
    In the Edit DWORD Value window, enter 1, then click OK.
    Exit the registry editor.
    Hi,

    You must be administrator and have rights to execute winrm. There is no other option. There is no workaround to this design either.

    What I do suggest is to use RFE program and provide your feedback to ILMT board. As soon as you do this, please provide RFE number and link to it here so any other user of this forum will be able to vote for it. All the details you will find in this post:
    Request for Enhancement - Have an impact on ILMT!!!
    Please let me know if my post answers your question.

    Regards,
    Michał Klak
    ILMT Central Team


    The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
    Please contact product support if you need IBM's official advice.

    If you want to extend your knowledge of ILMT, you may check this site:
    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool
    Updated on 2013-02-04T14:53:17Z at 2013-02-04T14:53:17Z by SystemAdmin
  • bjdboyer
    bjdboyer
    15 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-11T21:23:12Z  
    I changed the UAC level to minumal on all the Hyper-V 2008R2 servers and was able to connect to one of them checking the share credentials. Now my problem is access...

    These hyper-V servers belong to one our hosted customers and as such they have a primary IP address of the customers network. They also have a secondary IP address configured that is on our internal management network. This allows us from our network to directly connect and monitor the servers while they are on the customers production network. There is a static route that sends the data back through the management network for our monitoring servers. This is how the ILMT server connects using the management IP. It connected to the first of Hyper-v hosts, but then tried to connect over to another in the "cluster" and the actual production IP was was used. I guess WinRM returned that in the query of all the Hyper-V in the cluster.

    So instead of only defining 1 Hyper-V and checking the use same credentials, can I just add all 3 of the Hyper-V servers to ILMT? Or is there a way to get WinRM/ILMT to use a different discovered IP of the other Hyper-v servers in the cluster?
    Bill
  • SystemAdmin
    SystemAdmin
    340 Posts

    Re: An error occurred when attempting to connect to the VM manager (Hyper-V)

    ‏2013-02-28T11:59:07Z  
    • bjdboyer
    • ‏2013-02-11T21:23:12Z
    I changed the UAC level to minumal on all the Hyper-V 2008R2 servers and was able to connect to one of them checking the share credentials. Now my problem is access...

    These hyper-V servers belong to one our hosted customers and as such they have a primary IP address of the customers network. They also have a secondary IP address configured that is on our internal management network. This allows us from our network to directly connect and monitor the servers while they are on the customers production network. There is a static route that sends the data back through the management network for our monitoring servers. This is how the ILMT server connects using the management IP. It connected to the first of Hyper-v hosts, but then tried to connect over to another in the "cluster" and the actual production IP was was used. I guess WinRM returned that in the query of all the Hyper-V in the cluster.

    So instead of only defining 1 Hyper-V and checking the use same credentials, can I just add all 3 of the Hyper-V servers to ILMT? Or is there a way to get WinRM/ILMT to use a different discovered IP of the other Hyper-v servers in the cluster?
    Bill
    Hi Bill,

    Yes, you can define every Hyper-V separately.
    I do not have a chance to test it, but you can also try to connect to IP of the cluster instead of IP of the host and see the result.

    Please let me know if my post answers your question.

    Regards,
    Michał Klak
    ILMT Central Team


    The postings on this site are my own and do not necessarily represent IBM's positions, strategies or opinions.
    Please contact product support if you need IBM's official advice.

    If you want to extend your knowledge of ILMT, you may check this site:
    https://www.ibm.com/developerworks/mydeveloperworks/wikis/home/wiki/IBM+License+Metric+Tool