search

StefanScherer / dockerfiles-windows

Various Dockerfiles for Windows Containers
MIT License
1.1k stars 396 forks source link

WinRM container not accessible via Enter-PSSession #460

Closed Peco602 closed 2 years ago

Peco602 commented 2 years ago

I am trying without success to access the container via this command:

Enter-PSSession -ComputerName  <IP ADDRESS> -Credential User03

and then inserting the password Passw0rd in the prompt windows.

rleap-m commented 2 years ago

Seems to me that is an unconventional way to work interactively with a running container. You would typically use docker exec -it command for an interactive session. That said, I gave it a try with the mcr.microsoft.com/windows/servercore/iis:latest image and from the container host I was able to verify connectivity from host-to-container over the default WinRM port:

PS C:\Users\Administrator> (docker container inspect cbe0be0147d1 | ConvertFrom-Json).NetworkSettings.Networks.nat.IPAddress
172.31.124.73
PS C:\Users\Administrator> Test-NetConnection -ComputerName 172.31.124.73 -Port 5985

ComputerName     : 172.31.124.73
RemoteAddress    : 172.31.124.73
RemotePort       : 5985
InterfaceAlias   : vEthernet (nat)
SourceAddress    : 172.31.112.1
TcpTestSucceeded : True

But when I try to enter a session:

PS C:\Users\Administrator> Enter-PSSession -ComputerName 172.31.124.73
Enter-PSSession : Connecting to remote server 172.31.124.73 failed with the following error message : The WinRM client cannot process
the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS
transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure
TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by
running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 172.31.124.73
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (172.31.124.73:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

And this error makes sense because the container is not domain-joined (nor is my test VM in this case). So the auth scheme is definitely not Kerberos and as far as using HTTPS as the transport - perhaps it could work, but WinRM inside the container has not been configured to allow it. Again, I'd recommend using docker exec if you need to interact with a running container.

Peco602 commented 2 years ago

You should try other authentication methods, such as Basic and NTLM, which are for not-domain joined machines.

I need to interact via Enter-PSSession and not via docker exec because I need to simulate a WinRM connection.

I tried to interact with the
winrm container available in this repository. The error I get is ACCESS DENIED.

rleap-m commented 2 years ago

Doesn't work (using any of the available authentication schemes) out-of-the-box. This post looks promising - maybe it can help you: https://tobiasfenster.io/container-to-container-winrm

Peco602 commented 2 years ago

It is the same link I found. I will give a look.

rleap-m commented 2 years ago

I was able to use the -ContainerId parameter (from the container host) to enter into a session. Probably not what you are after, but that did in fact work:

PS C:\Users\Administrator\Documents> hostname
EC2AMAZ-9I75KV2
PS C:\Users\Administrator\Documents> Enter-PSSession -ContainerId cbe0be0147d191136339d86b537189292b8eadb96915114473340ace213fca30
[cbe0be0147d1...]: PS C:\Users\ContainerUser\Documents> hostname
cbe0be0147d1
[cbe0be0147d1...]: PS C:\Users\ContainerUser\Documents> whoami
user manager\containeruser
Peco602 commented 2 years ago

Please checkout my new repository where I have published a WinRM Windows Docker image accessible via the PowerShell command Enter-PSSession.