WinRM: Ride the Adventure!

Video in TIB AV-Portal: WinRM: Ride the Adventure!

Formal Metadata

WinRM: Ride the Adventure!
Title of Series
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
You just want to connect to a remote Windows machine. Sometimes it "just works." Sometimes it doesn't and it's not clear why. We'll dissect some typical WinRM failures. I'll point out the questions to ask and some basic commands (for Windows and Linux) to run that will help you navigate your way to diagnosing your issue and hopefully leading to a successful connection. We'll look at the key points that influence WinRM connectivity and how they need to be configured to facilitate communication between nodes. We'll focus on some nuances specific to various Chef ecosystem tools that affect these settings and how you can configure these tools for the least amount of friction. What has changed and progressed in the last year with regards to the Ruby WinRM client used by knife-windows, Chef provisioning, Vagrant and Test Kitchen? How can you leverage these changes to provide a better remote experience? What works and does not work over WinRM and how can you work around the limitations?
Trail Implementation Observational study Open source Adventure game Client (computing) Software maintenance Power (physics) Regular graph Blog Term (mathematics) Energy level Software testing Implementation Adventure game Source code Gender Core dump Bit Software maintenance Cartesian coordinate system Word Software testing Communications protocol Window Sinc function
Email Scheduling (computing) Context awareness Workstation <Musikinstrument> Water vapor Open set Client (computing) Medical imaging Web service Different (Kate Ryan album) Core dump Error message Remote administration Touchscreen Parameter (computer programming) Bit Maxima and minima Instance (computer science) Sequence Radical (chemistry) Message passing Wave Data management Process (computing) Order (biology) Quicksort Arithmetic progression Spacetime Slide rule Computer file Dependent and independent variables Streaming media Number Latent heat Internet forum Term (mathematics) Communications protocol Metropolitan area network Computing platform Form (programming) Default (computer science) Information Server (computing) Lemma (mathematics) Client (computing) Basis <Mathematik> Line (geometry) Group action Cartesian coordinate system Limit (category theory) Word Integrated development environment Interpreter (computing) Gastropod shell Window Library (computing) Greatest element System call Ferry Corsten View (database) Multiplication sign Function (mathematics) Parameter (computer programming) Web 2.0 Radical (chemistry) Semiconductor memory Endliche Modelltheorie Extension (kinesiology) File format Feedback Variable (mathematics) Flow separation Type theory Configuration space Right angle Remote procedure call Asynchronous Transfer Mode Server (computing) Identifiability Service (economics) Virtual machine Electronic mailing list Limit (category theory) Power (physics) 2 (number) Wave packet Revision control String (computer science) Operator (mathematics) Gastropod shell Software testing Message passing Plug-in (computing) Set theory Dependent and independent variables Cellular automaton Gender Vapor Machine code Computing platform Point cloud Communications protocol Computer worm
Group action Server (computing) Implementation System call Service (economics) Computer file Firewall (computing) Real number Multiplication sign Authentication Limit (category theory) Heat transfer Parameter (computer programming) Food energy 2 (number) Web service Sign (mathematics) Type theory Bit rate Authorization Gastropod shell Energy level Representation (politics) Software testing Communications protocol Error message Set theory Scripting language Authentication Default (computer science) Content (media) Client (computing) Computer network Hecke operator Cartesian coordinate system Limit (category theory) Measurement Equivalence relation Connected space Category of being Word Software Computing platform Normal (geometry) Right angle Communications protocol Window
Group action Execution unit 1 (number) Set (mathematics) Function (mathematics) Client (computing) Food energy Computer programming Variable (mathematics) Formal language Web 2.0 Medical imaging Web service Mechanism design Different (Kate Ryan album) Cuboid Internet Explorer Information security Error message Position operator Fiber (mathematics) Physical system Point cloud Area Email Firewall (computing) Cross-platform Bit Instance (computer science) Variable (mathematics) Virtual machine Connected space Category of being Web application Type theory Arithmetic mean Telnet Configuration space Right angle Procedural programming Cycle (graph theory) Information security Point (geometry) Server (computing) Service (economics) Computer file Dependent and independent variables Firewall (computing) Virtual machine Web browser Rule of inference Power (physics) Twitter Revision control Internetworking Term (mathematics) Telnet Operating system Energy level Integrated development environment Software testing Proxy server Rule of inference Default (computer science) Pairwise comparison Dependent and independent variables Shift operator Information Physical law Mathematical analysis Computer network Affine space Cartesian coordinate system Error message Software Integrated development environment Web-Designer Personal digital assistant Logic Window Near-ring Library (computing)
Group action System administrator 1 (number) Water vapor Function (mathematics) Parameter (computer programming) Computer programming Web service Mechanism design Bit rate Computer network Circle Information security Physical system Bit Hecke operator Category of being Message passing Data management Process (computing) Software testing Summierbarkeit Remote procedure call Task (computing) Point (geometry) Windows Registry Trail Server (computing) Implementation Proxy server Computer file Token ring Firewall (computing) Authentication Virtual machine Streaming media Rule of inference Product (business) Power (physics) Time domain Root Term (mathematics) Operator (mathematics) Authorization Gastropod shell Software testing Set theory Task (computing) Authentication Domain name Installation art Default (computer science) Computer network Database Directory service Cartesian coordinate system Loop (music) Integrated development environment Password Gastropod shell Communications protocol Vapor barrier Window Local ring Near-ring
Latent heat Goodness of fit Information Blog Multiplication sign Authentication Adventure game Core dump Communications protocol Probability density function
but they will thank you very much as everyone for coming will go and get started i'd today really talking about with and arrived the adventure so when I think of what are I'm writing back to my 1st experiences of your running commands remotely over water and and but I thought was going to be 15 minutes in what became several hours that the 1st word that comes to my mind is adventure and I don't necessarily mean that in a positive sense of the term and and having talked to several other people who have gone through the same experience having talk to some of those people while they were going to the experience and I feel like that's an appropriate term it often feels like an adventure and not as early you want to be and so I hope it is they might much what I wanna come accomplish is bring wherein that down to earth down to our level but let's understand it's a mistake the out of 1 hour and so little bit about myself I that rock and I I 1 of the primary maintainers of the review where GM late last year we were the 1st open source implementation of the power shall remoting protocol talk more about that in in a bit on the wear and gender studies the what inclined client powered applications like vagrant and knife windows test kitchen and and that and I blog hurry up and wait die 0 so in troubleshooting your own wherein problems you may have stumbled upon that but it's so I certainly hope was helpful and I work for chef I've been working for ship for almost 2 years since October red on habitat thing I want my focuses is making habitats work on windows on ends and I'm not talking about that today in this talk that that's an if it's you the police of interest me so please see and your track me down before the conference and i'd be happy not only tell you about the show it to you and I tweet at em rock acts so let's start off with start by going
deep actually let's go deep into the that the winner and protocol what what what what I wanna do here is I wanna give everyone here as solid mental model of what happens on your workstation when you make a request to a remote server over 1 and a wide dispelled ad but in this and and and in any incorrect assumption that we might have because a lot of people were images is kind of this this big cloud and issuing this command but I don't really know what's happening and that will do incorrect assumptions sometimes become yourselves the rabbit hole when it comes to troubleshooting a problem so it's starting and and look what is what are in exactly what is happening and that what the core I can tell you what 1 hour and is it's a web service or lot people don't know that that's simply what it is there's tiny web server running on the remote machine where you're trying to invoke and invoked your commands on and on your machine is really just a little bit code is not doing a whole lot of because the web service all it's doing is it's issuing http requests to that web service passing it you and ask you to run commands open shells and and so that when are inclined in in in most of our case that if if you're using scheduling that is the winner and the winner of religion but it could be undermined using packages that there's a bill library for 1 hour and if you're using PowerShell by the entropy a session on UPS session than its power shall itself but all these libraries are doing the same thing and they're they're all constructing the exact same HTTP messages and they're making requests were and servers so was take a look at these messages what's the sequence of messages of several involved in actually making up and invoking aware and command and we're gonna find is that this sequence and correlates very closely to what you and I would do our own machines if we wanna just we wanna recommend against a own machine that's always the 1st thing that you do when you wanna runner command on your own machine well the 1st thing I do is I open up I open up a can a consul in and that that's exactly the 1st thing that will do with where and where the issue a creates shall request regret regret and create ad and an HTTP requests sent it off to the remote machine it's that I received that request this then do exactly that that is the responder process called con host start yet the the view on another machine you may see those on you can think of that basically hasn't been as invisible consul window I also spawned a process interpreter recommended so C and D . year txt and it'll send back to us an identifier as a unique identifier do it a 32 character view is that the shell ID and we're gonna use that shall ID to run commands on actually would have multiple cells open I mean just like on our machine of each 1 has its own and York environment context in this environment variables and so forth and so the next thing that we do because what's the next thing you would do after you open your consul is used you start typing in you hit enter so the next thing we'll do is will issue a create command request and we're going give it that shall idea because that's where we want the command to run inside the create command request it could be the command itself in in all of its own in all its arguments so send that will that the remote machine will receive that and it will it will spawn NetCommander little Bill invoke that man is not a way for the command of finish is immediately return back to us a command identifier so just like the shell ID really get command I the same format and a do it and in and would that community with so with with with the next thing that we do our own machines after we hit enter will we wait for output right we expect some kind of some kind of feedback from that command so we're gonna send a on a receive the receive response man we're sent in that received the command that the ATP p request worsening were included that the streams that we want access to now and in what order and when there is really just and there's there's 2 streams that that that we have available to us that's that's the output in air stream I will there's more strings and power remoting will will get on to that in a little bit but that anyway sorry ask for a request for a for a request from that from the server for outputs and that really did too easy you you expect but about for a few different types of responses from that so the fast learning process but I would expect to get the full output of that response along with and the exit code the Bakken and exited with and now if it was a tremendous took while and it didn't give me any output until was done I might get next to nothing and I'll get a response the and the output of that response will essentially be empty and and I'll go get a signal basically telling me that that that the commanders is still running and now let's take this scenario this of a chef-client run so Sarah using knife when and to and to execute at the chef-client remotely and I could take it and it depends on what you're converging on defines the 20 minutes could take an hour so I would expect to see there in that very 1st request for response I would expect to get a little bit output like the very beginning of my chef-client run but then but no signal that the command is terminated and so if the what am Jim will do it is that I keep pulling that server and for for output in keep you taking an output and making of returning from structured information back to the better the application using the word Jim isolated using knife where the knife wherein of the the knife windows GEM what is that take that return output you to your screen is that I keep doing that until we get until 1 of the responses that last response that we get back from the server includes the signal telling us the processes exited and also give us the the exit code of that that that that process but of 4 of and then there's a termination signal that we can send so let's say we don't wanna wait for that and for that command to finish you think I think of this as a remote controls the and so you again these are all all of these a simple HTTP requests that where engine um or whatever your wanna inclined is doing is just basically constructing strings that there that that form these messages and no the winner and web server is doing all the work so the last and the last message is the close shell and says this closes the shallow space we get the equivalent of on on on your own machine if you're in the upper right hand ax in Europe your powerful consul that up the shell and and basically kills off any processes that that shell and shall had opened and it's particularly important to do so in 1 hour and it is 1 thing about where M and like on our own machines is that it has in winter in the winter and configuration there's all sorts of quotas that that that underspecified so were those quotas that is the maximum number of cells a user can have opened also quotas that govern the maximum amount of memory the shell can hold open and the maximum number of processes that can be running simultaneously and all these quotas configurable selects that's that but the deal went 1 thing to be aware of is that the the version of Windows that you're on and will often and it will will determine the default value of that quota so if we take a and the are shell for a for instance if I'm on Windows 2008 R 2 I can't have by default I can't have any more than 5 shells open at a time that now that might not be a problem for you would say your you're a test kitchen right I test it and it will open up a shell it'll run several commands within that shell and it'll close in and that's the efficient wave and for applications to use when are emissaries many commands they can in the same shell because it literally take seconds to open up a shell and however vagrants I'd I'd like to talk to people who have had molten have multiple bigger plug-ins the 2 which perform some kind of provisioning operation that takes up the shell 2008 R 2 and you end up on you know with over 5 shells and your vapor up is not going to be a not to be very successful and so let's take
a so that below if you can even see this a revisits it's fine I just I include this slide because they just so I want people to see here what what these requests actually actually look like this is this this 1 hour and service the web service is following so protocol and the other was so that's fine was very popular backing 1 and was created back in 2005 at you still see them today they're they're not nearly as popular and today and they have all this text is 1 of the reasons why the not so popular known as being a very very verbose XML format but most of this XML really has no interest to us as humans and that what is interesting to us here so this is a and this is a create command message and that 4 lines from the bottom so what this is doing is deleting a file so we see that we see the commands and del the delete command along with all these arguments and then including the actual file and that it's due the leading thinkers of the of interest as we actually see we see a shell ID in here so right smack dab in the middle of this message that the cell ID the UUID that's the shell that that works that this command is saying it once that command had to run inside that's this is this is where this is what's actually going across the wire by when hour yeah so so you might be thinking especially now since some of you use PowerShell on day in day out basis and use powerful remoting you might be thinking all OK so so this is PowerShell remote and well actually no power remoting is its own and it is its own specification its own protocol and so let's back up so about 7 September of last year the winner and gender so any application uses the water engine but implemented the powerful protocol will get all get into why and why we do that just a bit but but up until that time it all cross platform winner and clients of go job and Ruby all those all those clients use an older protocol and called WSN the and the Windows services management protocol extensions for this stuff and it was called that because that's about around the time that it came out so on the server side picking out around and when this 2008 here are 1 and you you can actually write on Windows Server 2003 and it's a much simpler but recall than the PowerShell remoting protocol so in power shall remoting Powershell 2 which is around 2008 R 2 and it has a much richer set of messages about 41 different types of messages you can send with partial remoting at many of you know who were familiar with PowerShell you know the PowerShell has several streams I a progress train your information stream that we're and has again Italy has it and output or error so so there's all these messages provide a way of expressing that the thing to note is that and have PowerShell the powerful remoting protocol is not exclusive of the WS and the protocol for the powerful remoting protocol actually depends on W S and B with WSN B does it it defines the transport layer so that that's so and that so message we were just looking at it uses those same messages to embed the power felt the PowerShell messages and it's it's a bit a much more complicated in and basically kind of a hassle to implement because the PowerShell remoting protocol of binary so basically with the worm libraries it's created by the array and packing all the bits in information there essentially rendering almost you very difficult to dividing and certainly to look at and over over the wire but 10 so why we why did we go to the trouble of of of implementing and new it served its purpose and the other libraries do just fine without it and terms it I was away 1 thing that so the reason why is because there is a limitation in C indeed dilute exceeds that so uh and mention this real quick so WS and the without power forum noting that all talks directly see indeed i.e. exceeds that the unseen DWT that the old school and uh your windows commands command line and and that power remoting talks directly the PowerShell that exceed that we done fine with me we then find the audience the reader so we need to run PowerShell now we just inside of that as at the old seem at the we just call the actual powerful executable and pass it are powerful commands that's and that's work for us but but seen it's C has a has a has a very serious limitations that is you cannot have a command line it's over 8
thousand 96 characters and you might be wondering well why does that matter I I never intend on on typing a command the thousand 96 characters and I know I I sigh with that myself but that I had that as so that the what I refer also on on the 1 hand in the word gem it's it's usually not descending one-liners applications are using energy and often is that the Sanskrit so that is a real thing but the kicker is when it comes to file transfers so in Windows land there is no need of SEP and there's no real SEP equivalent so really what we have to do is we have to use the the facilities that when and grants to us that transfer those files so we have to be the right a command transfer that file so the how would that look like I'm not going to get into the nitty gritty of that but but but let me just give you a somewhat inaccurate representation that gives you the idea ImageNet like basically begin quote the the contents of that file and quotes the greater than sign which is the the new default file redirection character in a file name so that's basically what we're doing we're basically just grabbing a content increasing the file well it that file is around a k a or more so that that's not going to be a very complete file so what we what we've done historically where n is we chart that that file and and I'm not again and again the details but I will with all that's involved in chopping it up in a script that we have to send along with each 1 of those chunks really here were limited to about 590 k and in so imagine trying to the transfer of a gigabyte file forget about a gigabyte even a moderate file like 10 20 megabytes of that's the take x actually taking minutes and the uh the a lot of it depends on your on your network but on my home Wi-Fi takes about it takes minutes if I can use the powerful remoting protocol that does not have that limitations and it will just take a few seconds so that's a serious serious and this is a major improvement and we can also do things like talking when those non 0 I will go into details on that but at any rate so now we we do have a full and their implementation the powerful remoting protocol that the where engine uses and applications have to tell it to use that we still expose the old protocol but using test kitchen all that uses that that the new Protocol IV using knife windows you do need to tell tonight windows has a shell parameter and I you just can't give that parameter PowerShell the default is command and it will use some native PowerShell the so I hope that was interesting and you that covers you basically what we are in is from a fairly low level how it how it behaves and how work so it's just it's just over a web service and with the question of some of us might really be wondering is why the heck can I establish a were session income on and why is it so difficult undergo I've always yield SSH 50 trillion times it today just just know without a problem so so let's answer this question and then what I've found is that in the vast vast majority of time you can you can categorize the answers to that question why can i connect into 2 categories the 1st category is and that is a network connection problem so there's something sitting between you and that when are an endpoint that winter and server that's dropping the traffic on the 4 or on that 1 hour on that server that you try to reach the where of services is even running and the 2nd category are authentication issues you that you can you can make it all the way to the server the server is listening to you it's heard you this basically telling you you're not of the Credentials that you're trying to use to a to login are not being on are not being honored and what I find is the very 1st the group the best 1st troubleshooting steps to take is to try and identify which 1 of these buckets and 99 per cent of the time you will be in 1 of these buckets and so which weighs you fallen because the tent depending on which bucket urine as they determine a totally different set of troubleshooting measures that that that you need to take and I've seen people that they end up with where m authorization error messages but then they start troubleshooting other fire is my firewall and is the winner and service young flapping is upper download will the fact of the matter is the news the good news is the 1 norm of A 1 hour and authorization air means that you have you made you made it to that server that server listen to you as a different set of troubleshooting measures that you need to look at so let's look at all at that the typical measures for both of these categories and so let's start off with
connection troubleshooting so 1st of all how do you know you're in this in this category at 1st so so we've talked about we know now that we are in is a web service right as a matter of uh basically just reading that Webster the then uses that all of us here now already know the tools and methods for troubleshooting this problem me a lot of us here maybe work for you maybe work in a web development shot via a web developer and maybe your area and the euro oxygen unit supports a web application you come into work in the morning after year after year by year build has been released a particular environment and you do a little bit of snow smoke testing on it you bring up the browser and it's not there and I and II notionally I've been in that position and so now you had the cargo these troubleshoots why can't I reach my my web application was the exact same thing with law it it's it's a web server it's and a it's even not even at this early open issue of the of the web it's a it's amuses TCP IP so use the tools that and that we're all familiar with basically just to see can I get an answer and from that remote from that and point on the win our import if I money fiber or 596 which are which are the default so you know that you know you know the tools there that if you're on Linux and the environment of values netcat and windows I like to use test Deschner connection and but I wanna go old school at all use Telnet and and so I recommend that they have a lot of us that and using for for decades so that it works and then you just just check to see if you can if you get an answer if you don't get an answer the that then you are you fall inside of this category so that's the case the very 1st thing the birds 1st question to ask ourselves is is the one hour and service running and there's can you use those tools at sea on the local machine just pointed to local host and get an answer and if not then the chances are very very high the winner and service isn't even running and here we're talk again about why the version of Windows the Windows operating system that you're on matters and so it is so it each version I will but so let's go back to Windows Server 2008 R 2 so 2008 our to in earlier the wear and service is not started by default so if you've if you've done nothing more than install the of the operating system and and eliminating any issues with and with group policy or any provisioning procedures that that you have a because I don't I don't know about your group policy I don't know about your provisioning procedures I can only talk to to the default so let's as will be focusing on so by default when are and it's not started on 2 thousand year 2 that something you have to do is very easy to do just open up but I just open up the powerful consul in type enable dash PS promoting and we're done so what happens there when you do that so it starts at that web server called or in where and when it's full listener and it's hosted by the the where and when the service and it enables the firewall rules on the machine to the next thing we're going talk about so allows ports 595 finite sex and to come in and then and then you're you're good so you should be able to use those tools locally now actually get a response that may be some it's unfair if you hit trying hit that same machine by another image on another server in your network and you will get a response in that usually is indicative of a problem with the firewall and them so I can mention the forward when you would enable what when where m on 2 thousand year to it sets up those follow rules and will does the same thing 2012 for but there is a and there's a single there's an important new ones so in 2012 and forward and where and is enabled by default so you done nothing more than fall OS the winner and service should be running the because it enabled by default that is it exercise is just a little bit more caution when it enables those Firewall Rule so it in 2008 R 2 pretty much opens up the supports the everything but on 2012 forward if you're if its domain-joined and then then the traffic will can come in from anywhere but if it's on a private network and it will limit the traffic just to the local subnet so that means that if I'm here in Austin and I wanna connects our issue where and command my 2012 are 2 box in AWS will work on difference of this right so I'm going to have problems which means and I know what my user data when I like provision my machines in a WSN and if I intend on and but I'm not being domain-joined and I'm that enable those you Tweet goes firewall rules as so that it opens it up not just to local traffic and to do with 2012 and and are are 1 yes and so once it once your firewall is is all good and the next thing to look at are basically is that
depend on your network and but mistake I AWS as examples of security groups and so you have different networks are gonna have different mechanisms in certainly AWS Nadja had these of the allowing young ingress nearest rules on uncertain ports i to reach you know as specific instances in your network you wanna make sure that that your Windows instances that you plan on running 1 hour and I had to have 595 in 596 open and in your in your security groups otherwise outside of AWS and you will you you or or Agirre I you will not be able to buy you will not be able to get to so 1 more and 1 thing to talk about in terms of connection issues uh in this I find is the worst 1 is is proxies the proxy the finicky and wealth and in enough energy the dead and my feeling that affinity toward them but there was no those are finicky either thing but then and have that I had I did they exist for a reason suppose but there so this Priscilla proxies is when you're having a problem because of a proxy is not at all obvious that you're having a problem because of property so this is 1 of the ones like like all those other issues were able the user get people up and running really quick and you think that you know I've been doing this long enough that come the here you come to that that come the proxy problem sooner but I mean I know this is happening it as I goes this just a few months ago I was going of will over with a customer issues were going back and forth over e-mail on my back and forth back and forth back and forth and you know all your hours have been consumed before you realize it was there was a proxy at play there and so on you the issue here 1 of the problems is that yeah those those tools that we talk about you know where you where you trying to see if it that point is listening to a port approxi yeah proxy environment will deceive you and because Italy you're you're your request will basically will be intercepted and making it seem as though there's something listening on poor but when that when that something that is listening responds responds with the message that we're and that doesn't know what to do with it and this is like an error message at the end of cycle that that's like got you know it just a plain text error message saying you know could for example might say that that you have an authenticated against you're against a proxy and what we used to do in the winter and jam with you and I stare about annual class but but we stop doing that we at least include as the new that that output the HTTP response output in the air but still not always obvious so had he does happen no if you're if you're environment and has a property in in here's the undertaker so once you know the you have a proxy and you may not know how to configure and so if you're a Windows environment near comparable with running native Windows that you probably you may think you know how to configure because native Windows applications will behave differently from cross-platform applications when it comes to the proxy configuration so while a native Windows applications using native when 32 API is to to handle HTTP traffic it knows to look at your when I settings those of the settings that you set in Internet Explorer basically in the internet connection area throwing year your proxy and point for New York bypass rules and gets stored in the registry and so they that those programs look for a for it in in our usual experience with most Windows programs by setting setting those properties everything just work will not so much with that with cross-platform tools but it's not because the cross-platform tools or mean or hate Windows and they have to support not only Windows data support non-Windows environments that have absolutely no concept of a registry and and then when you do that logic also is handled by a lower level HTTP libraries in the case of the ruby where engine you we use the popular Ruby sticky client library it handles all the proxies for but that almost all these libraries that all the ones that I know of across all the different languages they all use the same environment variables to detect this information so don't worry about what's in your Internet connection say that's not least not for not for where and least not the ruby where gender or or a shift to shift to an as not that as nothing to help you which you wanted to you is that these environment variables now tools like test kitchen and vagrants you even knife windows they might they might provide a courtesy configuration files where you can set those properties an analysis at the American variables for you the of your data file your Kitchenham all your knife oddly another to get all the different now settings but what I can tell you is that if the if you release just said these environment variables within the and the consul that you're using these tools that should get you that should get you properly configured with your with your proxy so now let's
switch over to 1 but to do what I am authorization and there is this is a much smaller topic at the end that there's really just 2 things that the rope that that the being home here and the 1st thing is you want to be an administrator I that that credentials that you're using to log into the remote machine need that we need to be administrator there is that there's a small copy of that there and the power remoting protocol gets is around that a little bit of course yet to know that you're using the power remoting protocol which may not be a little difficult under the hood so you're always say if you're a departure remoting protocol and so I fidelity using test kitchen you should be fine here's the door the administrator but what you do have to do is you have to always be in the remote management group on that machine or in a group it's in the remote management group on that machine and the other is the other point here which is actually can throw you from much more of a loop is so so let's let's look at a server that is not domain-joined its workgroup joint and and where m is enabled either you gonna manually or it was enabled by default at the point that where in terms on the new we talked about you turn it it starts at the listener's starts about what the what the web service it enables the firewall rules will the other thing that it does get it workgroup join is it sets a registry key and were created and called local account token filter policy process that a 1 and 1 that is 1 with that tells the operating system is that it's OK to authenticate remotely a local account and however if that machine when it's when it's and when where n is enabled is domain-joined it is not said that and so that would be very confusing especially let's say your player and a week anyone I test out this winter and stuff each you fire up here you know when you're in a court and node in your corporate environment because you have provisioning that just as it makes it easy for you you know I go to the trouble of of that using domain account you know you just know because on every machine under every Windows machine we have a built-in Administrator account as the just you know what the heck it's not production you can use the built-in Administrator account I you know for sure that you have the pass were right and you're being told that your access is denied and you not being told I'm sorry it looks like a using a local account and maybe you try you know it's not all that clear and so I as so that's this is deathly something to look at a few if you fall if you find yourself in that situation so the next so we talk about what to do many tell you something what not to do that it is never a it is never the right thing but I don't consider myself an absolutist and I'm supposes like someone % of about programming you if I was dividing the sum might turn on basic of annotation because I wanna see the credentials communal water you know within my own at any rate it this is a good idea of the really proud of your password you want see it to that's it so you you're gonna find documentation that's going to tell you to turn on Basic authentication and to enable unencrypted track that some that idea enabling unencrypted that and so it used to be that's what you had to do we used to not have a native until and uh we used to not have a native and uh until and and root so we had to do this this is the only kind authentication we could do it as the work of the security work-around was basically telling people to use each PS so we use that 1 2 3 8 PSL now we have a working until and R implementation all all of the all the major applications that use the winner and by default said the authentication and to and he'll and so there's just is you have to explicitly tell it to use Basic authentication 1 telling you there's never the reason is that
so the last thing I wanna talk about it that day so we we've managed to connect we managed to log you're doing stuff you're you're deleting files 0 and you're creating directories exciting stuff and and then we try to do something and it just doesn't work we did that same thing locally and worked on the same on the same node even you did it you you can do in RTP is ordinarily the forget where and and do everything over RTP that kind of stuff and so What so be aware that there is a small a small and I really do mean that it is quite small but yet and as a couple significant ones in here is a small set of API and then it will not allow remote users and to call certain methods on those API is an example that probably that 1 a famous example we things to me this I could ramp refinement that for a while but that the Windows Update API so you can I install Windows updates of art over whenever it can it over normal wear and that simply can't be done but what you can do is you can what where and there is no restriction on the little task API it's so over where and you can create a scandal task invokes it'll pass and what happens when you run a simple task or what would what what when the Tacis being run is being run by the task it or not the user that that's log in or wherever the task at the at the local command line I this was supposed to be secured predictors from security it's not doing a great job at the edge of yeah it was not a rant about is that that of the have all these people to listen and so I I could get so as to whether we can form a circle after the the the the 3rd 5th so that so anyways and that we had we've actually created gentle do just this and and sleep provide all the mechanics for you so and and and all the applications that use the ruby when orange and have a way of of of of doing this so for example test kitchen there is a an elevated property in the water and setting you can set that the true database leaders it by default and those with and exceeding knife windows if you're using the knife in command that shell parameter we talked about that has commanded PowerShell what is also elevated and so if you give it the elevated shell any command you run it will create the scandal task it'll run this little task it'll it'll grab onto the process this test runs into thin stream output near stream back to the application so so as to the application using the where an elevator gem and it has that it's it's totally transparent and it looks just like you using wherein the you're actually doing it through a through scandal task so that said that all the
information I have or share with you these these resources top 1 is a blog post I wrote a little over a year ago I updated a couple times it's got a mind you know troubleshooting where and it has a lot of the information we just talked about the data more detail and with the actual code so that you can and that you can use in in the last 2 into the actual enjoy these the actual specifications the PDF for the US and the for the 1 or more the the the Bible uh for those 2 recall the young good bottle Weiner and crack might include those and so thank you so much for 1st