search

StefanScherer / dockerfiles-windows

Various Dockerfiles for Windows Containers
MIT License
1.11k stars 396 forks source link

Unable to connect to winrm container for dockerfiles-windows/winrm #423

Closed akaFalsh closed 4 years ago

akaFalsh commented 5 years ago

Hi,

I tried to use stefanscherer/winrm, but when I am trying to connect from my host machine I get following error:

PS C:\Users\Administrator> Enter-PSSession -ComputerName 172.22.62.63 -Authentication Negotiate -Credential $creds
Enter-PSSession : Connecting to remote server 172.22.62.63 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 172.22.62.63 -Authentication Negotiate  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (172.22.62.63:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

The client allows all connections:

PS C:\Users\Administrator> winrm get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = true [Source="GPO"]
    Auth
        Basic = true [Source="GPO"]
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = true [Source="GPO"]
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = *
```exit

The connections to other hosts or virtual machines work fine.

To reproduce the issue:
1. Pull and start container

docker pull stefanscherer/winrm docker run -it stefanscherer/winrm

2. Try to connect with users specified in description:

$creds = Get-Credential // Here we use -username User03 -password Passw0rd Enter-PSSession -ComputerName 172.22.62.63 -Authentication Negotiate -Credential $creds

 172.22.62.63 is IP of container. Here is ipconfig output:

> > C:\>ipconfig /all
> Windows IP Configuration
> Host Name . . . . . . . . . . . . : b06044b1d6b1
> Primary Dns Suffix  . . . . . . . 
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : MyDomain.local
> Ethernet adapter Ethernet:
> Connection-specific DNS Suffix  . : MyDomain.local
> Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
> Physical Address. . . . . . . . . : 00-15-5D-24-39-1D
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> Link-local IPv6 Address . . . . . : fe80::5412:b44c:ab6e:46e5%4(Preferred)
> IPv4 Address. . . . . . . . . . . : 172.22.62.63(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.240.0
> Default Gateway . . . . . . . . . : 172.22.48.1
> DHCPv6 IAID . . . . . . . . . . . : 67114333
> DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F7-ED-38-00-15-5D-24-39-1D
> DNS Servers . . . . . . . . . . . : 172.22.48.1
> 192.168.10.2
> 192.168.10.3
> NetBIOS over Tcpip. . . . . . . . : Disabled
> 

Also netstat:

C:>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING TCP 172.22.62.63:49168 52.114.7.37:443 TIME_WAIT TCP [::]:135 [::]:0 LISTENING TCP [::]:5985 [::]:0 LISTENING TCP [::]:47001 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49154 [::]:0 LISTENING TCP [::]:49155 [::]:0 LISTENING TCP [::]:49159 [::]:0 LISTENING UDP 0.0.0.0:68 : UDP 0.0.0.0:5353 : UDP 0.0.0.0:5355 : UDP 127.0.0.1:61443 : UDP [::]:5353 : UDP [::]:5355 :

RobertLivermore commented 5 years ago

The docker run command is wrong. Must redirect container listening winrm port. See setup the directions on https://github.com/StefanScherer/dockerfiles-windows/tree/master/winrm

If the docker run command does not specify a network driver docker network defaults to use nat (Network Address Translation) is picked. The NAT driver does not allow port sharing. The host is already using the winrm port, and is rejecting the session with Access Denied—probably does not allow basic authentication.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Vladislav Falfushinsky notifications@github.com Sent: Wednesday, August 28, 2019 4:48:05 AM To: StefanScherer/dockerfiles-windows dockerfiles-windows@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: [StefanScherer/dockerfiles-windows] Unable to connect to winrm container for dockerfiles-windows/winrm (#423)

Hi,

Ive tried to use stefanscherer/winrm` but when I am trying to connect I get following error:

PS C:\Users\Administrator> Enter-PSSession -ComputerName 172.22.62.63 -Authentication Negotiate -Credential $creds Enter-PSSession : Connecting to remote server 172.22.62.63 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1

The client allows all connections:

PS C:\Users\Administrator> winrm get winrm/config/client Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = true [Source="GPO"] Auth Basic = true [Source="GPO"] Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true [Source="GPO"] DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts = *

The connections to other hosts or virtual machines work fine.

To reproduce the issue:

  1. Pull and start container

docker pull stefanscherer/winrm docker run -it stefanscherer/winrm

  1. Try to connect with users specified in description:

$creds = Get-Credential // Here we use -username User03 -password Passw0rd Enter-PSSession -ComputerName 172.22.62.63 -Authentication Negotiate -Credential $creds

172.22.62.63 is IP of container. Here is ipconfig output:

C:>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : b06044b1d6b1 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : Shareadm.local Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Shareadm.local Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter Physical Address. . . . . . . . . : 00-15-5D-24-39-1D DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5412:b44c:ab6e:46e5%4(Preferred) IPv4 Address. . . . . . . . . . . : 172.22.62.63(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.240.0 Default Gateway . . . . . . . . . : 172.22.48.1 DHCPv6 IAID . . . . . . . . . . . : 67114333 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F7-ED-38-00-15-5D-24-39-1D DNS Servers . . . . . . . . . . . : 172.22.48.1 192.168.10.2 192.168.10.3 NetBIOS over Tcpip. . . . . . . . : Disabled

Also netstat:

C:>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING TCP 172.22.62.63:49168 52.114.7.37:443 TIME_WAIT TCP [::]:135 [::]:0 LISTENING TCP [::]:5985 [::]:0 LISTENING TCP [::]:47001 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49154 [::]:0 LISTENING TCP [::]:49155 [::]:0 LISTENING TCP [::]:49159 [::]:0 LISTENING UDP 0.0.0.0:68 : UDP 0.0.0.0:5353 : UDP 0.0.0.0:5355 : UDP 127.0.0.1:61443 : UDP [::]:5353 : UDP [::]:5355 :

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/StefanScherer/dockerfiles-windows/issues/423?email_source=notifications&email_token=ALBDL46647LZ7CYMXG7DFCTQGY3ULA5CNFSM4IQ7TOJ2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HH3OTGA, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ALBDL43I6VXSINOWLTTG3PLQGY3ULANCNFSM4IQ7TOJQ.

akaFalsh commented 5 years ago

Thanks for fast reply. I had tried this:

docker run -d -p 55985:5985 winrm

Exits with can not find winrm image. Afterwards I`ve tried this:

docker run -d -p 55985:5985 stefanscherer/winrm

Which stopped right after finished. docker logs had not gave anything. After I`ve tried this:

docker run -it -p 55985:5985 stefanscherer/winrm

Container start successfully:

7b2ec4eba2d9 stefanscherer/winrm "c:\windows\system32…" About a minute ago Up About a minute 0.0.0.0:55985->5985/tcp magical_shannon

Then I`ve tried to connect and it failed:

PS Enter-PSSession -ComputerName localhost -Port 55985 -Authentication Negotiate -Credential $creds Enter-PSSession : Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName localhost -Port 55985 -Authentication N ... + ~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

RobertLivermore commented 5 years ago

Had a similar issue using NAT, it is specific to the environment the window 10 desktop lived in. The environment has a 3rd party virus network threat protection and was blocking all ports except for known ones. I had to figure out which network interface the traffic was routing through and set up exception rules. After I fixed that issue, still failed. There is switch which had ports blocked unknown ports between subnets.

If you are trying the container in a corporate environment then check out the network security. One way I get around the policy is to use the docker transparent network driver and leverage the port rules already setup.

If you are trying this in Microsoft azure, you will need to disable windows defender feature on the host and open the port in the VNET resource group – VNET acts as a firewall switch.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Vladislav Falfushinsky notifications@github.com Sent: Thursday, August 29, 2019 8:06:32 AM To: StefanScherer/dockerfiles-windows dockerfiles-windows@noreply.github.com Cc: Robert Livermore roblivermore@hotmail.com; Comment comment@noreply.github.com Subject: Re: [StefanScherer/dockerfiles-windows] Unable to connect to winrm container for dockerfiles-windows/winrm (#423)

Thanks for fast reply. I had tried this: docker run -d -p 55985:5985 winrm Exits with can not find winrm image. Afterwards Ive tried this: docker run -d -p 55985:5985 stefanscherer/winrm Which stopped right after finished. docker logs had not gave anything. After Ive tried this: docker run -it -p 55985:5985 stefanscherer/winrm Container start successfully: 7b2ec4eba2d9 stefanscherer/winrm "c:\windows\system32…" About a minute ago Up About a minute 0.0.0.0:55985->5985/tcp magical_shannon Then Ive tried to connect and it failed: PS Enter-PSSession -ComputerName localhost -Port 55985 -Authentication Negotiate -Credential $creds Enter-PSSession : Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName localhost -Port 55985 -Authentication N ... + ~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed`

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/StefanScherer/dockerfiles-windows/issues/423?email_source=notifications&email_token=ALBDL45XE76MHXNCA6GOA23QG63URA5CNFSM4IQ7TOJ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5OH5KI#issuecomment-526155433, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ALBDL43A3KE2SH42DFY3UJDQG63URANCNFSM4IQ7TOJQ.