在终端上通过WinRM连接到远程服务器

Prerequisite

Windows Server 2022 Datacenter

所有操作均在管理员权限下进行操作

实践操作

此处侦听器传输协议也是默认用的 HTTP,端口为 5985。使用证书且使用 HTTPS 方法待补充

配置 HTTP 侦听器

远程服务器配置 WinRM

在服务器管理器中可以快速配置远程管理,即 WinRM

在服务器管理器中可以快速配置远程管理

# 快速配置 WinRM,创建默认的监听器并开启防火墙例外
Enable-PSRemoting -Force

# 查看 WinRM 服务是否在运行
Get-Service WinRM

查看侦听器

# 查看 WinRM 监听器
PS C:\Users\Administrator> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.0.4.11, 127.0.0.1, ::1, fe80::5dc1:2b3b:f22c:ed79%7

配置防火墙规则允许 WinRM HTTP 流量

快速配置下,WinRM 会默认生成规则仅保证公用网络中的同一子网的连接,而专用和域网络不受影响。为方便调试,此处新增防火墙规则保证所有网络可连接测试。

# 创建新的防火墙规则允许 WinRM HTTP 入站流量(端口 5985)
PS C:\Users\Administrator> New-NetFirewallRule -DisplayName "WinRM HTTP 5985" -Description "允许 WinRM HTTP 流量(端口 5985)" -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow -Profile Any


Name                          : {ed70a15b-f06d-4714-9033-4fcb013a3f6f}
DisplayName                   : WinRM HTTP 5985
Description                   : 允许 WinRM HTTP 流量(端口 5985)
DisplayGroup                  :
Group                         :
Enabled                       : True
Profile                       : Any
Platform                      : {}
Direction                     : Inbound
Action                        : Allow
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : 已从存储区成功分析规则。 (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId                   :

若为云服务器,则在服务商处也同样放行,此处是在腾讯云的轻量应用服务器上进行设置防火墙

在腾讯云的轻量应用服务器上设置防火墙

本地环境配置 TrustedHosts

本地环境上确保 WinRM 服务为开启状态,在服务中对应名为 "Windows Remote Management (WS-Management)",简写名称为 "WinRM"

# 查看 WinRM 服务状态是否在运行
PS C:\Users\micro> Get-Service WinRM

Status   Name               DisplayName
------   ----               -----------
Stopped  WinRM              Windows Remote Management (WS-Manag...

# 开启 WinRM 服务
PS C:\Users\micro> Start-Service WinRM

# 确保 WinRM 服务在 Running 状态
PS C:\Users\micro> Get-Service WinRM

Status   Name               DisplayName
------   ----               -----------
Running  WinRM              Windows Remote Management (WS-Manag...

配置 TrustedHosts

# 查看当前的 TrustedHosts 配置
Get-Item WSMan:\localhost\Client\TrustedHosts

# 添加远程主机到 TrustedHosts 列表
# 注意: 使用 -Force 参数会覆盖现有设置,使用 -Concatenate 参数会追加
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.microcharon.com" -Force

# 如果需要添加但不想覆盖现有设置,请使用 -Concatenate 参数
# Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.microcharon.com" -Concatenate

# 若不起作用,则重启 WinRM 服务以应用更改
# Restart-Service WinRM

再次查看 TrustedHosts 配置

PS C:\Users\micro> Get-Item WSMan:\localhost\Client\TrustedHosts


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts                                   *.microcharon.com

测试端口连通性并验证连接

确保远程服务器上的 5985 端口是打开的

PS C:\Users\micro> Test-NetConnection -ComputerName test.microcharon.com -Port 5985                                                                                                                                                                                                                                                                                      ComputerName     : test.microcharon.com
RemoteAddress    : 1.1.1.1
RemotePort       : 5985
InterfaceAlias   : WLAN
SourceAddress    : 192.168.1.2
TcpTestSucceeded : True

连接远程服务器,输入管理员凭据

PS C:\Users\micro> Enter-PSSession -ComputerName "test.microcharon.com" -Port 5985 -Credential $cred
[test.microcharon.com]: PS C:\Users\Administrator\Documents> ls


    目录: C:\Users\Administrator\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/10/2024  下午 11:27            448 bind_port.ps1   
-a----        29/12/2024   下午 2:46           4277 duplicate_firewall_delete.ps1   
-a----        29/12/2024  下午 12:16            407 security.ps1

配置 HTTPS 侦听器

使用自签的泛域名证书(例如 *.microcharon.com)来配置 WinRM HTTPS 连接

自签名方式创建泛域名证书

在远程服务器上自签证书

# 计算5年后的日期作为证书有效期
$notAfter = (Get-Date).AddYears(5)

# 创建包含泛域名的自签名证书,有效期5年
$domainName = "*.microcharon.com"
$cert = New-SelfSignedCertificate -DnsName $domainName `
                                  -CertStoreLocation "cert:\LocalMachine\My" `
                                  -NotAfter $notAfter

# 获取证书指纹
$thumbprint = $cert.Thumbprint
Write-Host "证书指纹: $thumbprint"
Write-Host "证书有效期至: $($cert.NotAfter)"

得到证书指纹

证书指纹: 58AB5807592C3419476AD2EC11F8F03A0F4D3253
证书有效期至: 03/14/2030 16:59:48

配置 WinRM 使用该证书

# 配置 WinRM 使用该证书
PS C:\Users\Administrator> New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $thumbprint -Force


   WSManConfig:Microsoft.WSMan.Management\WSMan::localhost\Listener

Type            Keys                                Name                                                                
----            ----                                ----                                                                
Container       {Transport=HTTPS, Address=*}        Listener_1305953032

验证监听器配置

# 验证 WinRM 监听器配置
PS C:\Users\Administrator> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.0.4.11, 127.0.0.1, ::1, fe80::5dc1:2b3b:f22c:ed79%7

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 58AB5807592C3419476AD2EC11F8F03A0F4D3253
    ListeningOn = 10.0.4.11, 127.0.0.1, ::1, fe80::5dc1:2b3b:f22c:ed79%7

配置防火墙规则允许 WinRM HTTPS 流量

# 启用防火墙规则允许 WinRM HTTPS 流量
New-NetFirewallRule -DisplayName "WinRM HTTPS 5986" -Description "允许 WinRM HTTPS 流量(端口 5986)" -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow -Profile Any

导出证书并在客户端使用

# 仅导出公钥证书(无私钥)供客户端信任使用
Export-Certificate -Cert "cert:\LocalMachine\My\$thumbprint" -FilePath "C:\Temp\winrm.cer"

将导出的 .cer 文件复制到客户端计算机,然后导入到受信任的根证书里

# 在客户端计算机上执行
Import-Certificate -FilePath "C:\Users\micro\Downloads\winrm.cer" -CertStoreLocation "cert:\LocalMachine\Root\"

测试端口连通性并验证连接

确保远程服务器上的 5986 端口是打开的

PS C:\Users\micro> Test-NetConnection -ComputerName test.microcharon.com -Port 5986


ComputerName     : test.microcharon.com
RemoteAddress    : 1.1.1.1
RemotePort       : 5986
InterfaceAlias   : WLAN
SourceAddress    : 192.168.1.2
TcpTestSucceeded : True

连接远程服务器,输入管理员凭据

PS C:\Users\micro> Enter-PSSession -ComputerName "test.microcharon.com" -Port 5986 -UseSSL -Credential $cred
[test.microcharon.com]: PS C:\Users\Administrator\Documents> ls


    目录: C:\Users\Administrator\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/10/2024  下午 11:27            448 bind_port.ps1     
-a----        29/12/2024   下午 2:46           4277 duplicate_firewall_delete.ps1   
-a----        29/12/2024  下午 12:16            407 security.ps1

备注

PS C:\Users\micro> Enter-PSSession -ComputerName "test.microcharon.com" -Port 5985 -Credential $cred
Enter-PSSession : Connecting to remote server compute.microbin.cn failed with the following error message : The WinRM c
lient cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is
 not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts
 configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not
 be authenticated. You can get more information about that by running the following command: winrm help config. For mor
e information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName "test.microcharon.com" -Port 5985 -Crede ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (test.microcharon.com:String) [Enter-PSSession], PSRemotingTransportExce
   ption
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

WinRM 认证错误。检查凭据,或将目标机器添加到 TrustedHosts 配置设置中

PS C:\Users\micro> Enter-PSSession -ComputerName "test.microcharon.com" -Port 5986 -Credential $cred
Enter-PSSession : Connecting to remote server test.microcharon.com failed with the following error messag
e : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the cli
ent computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to t
he TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts
 list might not be authenticated. You can get more information about that by running the following command: winrm help
config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName "test.microcharon.com" -P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (test.microcharon.com:String) [Enter-PSSession], PSRemoti
   ngTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

若使用 5986 即侦听器为 HTTPS 时,要追加 -UseSSL

参考资料

Windows 远程管理的安装和配置 - Win32 apps | Microsoft Learn

如何为 HTTPS 配置 WINRM - Windows Client | Microsoft Learn

【Windows】【DevOps】Windows Server 2022平台启用WinRM实现远程powershell登陆 采用自签名证书开启HTTPS方案\_5986端口ssl证书上弱hash使用教程-CSDN博客

How to Enable and Configure WinRM (Windows Remote Management) via GPO | Windows OS Hub

最后修改:2025 年 03 月 14 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏