[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Problem with Exchange 2010 and WinRM

Posted on 2009-12-18
Medium Priority
Last Modified: 2012-05-08

I have a problem with Exchange 2010 on Windows server 2008 R2 (domain member).

Oponing the console or shell throws the following error:

[server185] Connecting to remote server failed with the following error message : The WinRM client cannot
process the request. The WinRM client tried to use Kerberos authentication mechanism, but the destination computer (server185:80) returned an 'access denied' error. Change the configuration to allow Kerberos authentication me
chanism to be used or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify th
e local computer name as the remote destination. Also verify that the client computer and the destination computer are
joined to a domain. To use Basic, specify the local computer name as the remote destination, specify Basic authenticati
on and provide user name and password. Possible authentication mechanisms reported by server:     Negotiate For more in
formation, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
    + FullyQualifiedErrorId : PSSessionOpenFailed

I have tried lot of solutions I have found on Google, but non of them worked.
Any ideas?
Question by:ironx
  • 5
  • 2
  • 2
LVL 33

Expert Comment

ID: 26087954
which version of Exchange 2010 you are using are you using RTM version, also do you use the latest winrm versions?

Author Comment

ID: 26088162

No, it's the full Enterprise version downloaded from MSDN.
Everything is the latest and up-to-date.
LVL 33

Expert Comment

ID: 26089693
do you use outlook live?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 12

Expert Comment

ID: 26089834
Open IIS manager and let me know the Authentication Settings in Powershell Virtual Directory.. try Only with Windows Integrated Authentication on Powershell VDIR

Author Comment

ID: 26193359
I have now a different problem with the server, so I have to reinstall Windows... but not right now.
I'll be back in a few weeks.

Thanks anyway.

Author Comment

ID: 26273101
I have re-installed the server...

Windows Server 2008 Enterprise (all updates)
All pre-requirements of Exchange 2010...

Tried running setup /PrepareAD and /preparelegacyexchangepermissions /prepareschema / preparedomain one-by-one. Both ways the same error:


G:\>setup /preparedomain

Welcome to Microsoft Exchange Server 2010 Unattended Setup

By continuing the installation process, you agree to the license terms of
Microsoft Exchange Server 2010. If you don't accept these license terms,
please cancel the installation. To review these license terms, please go to

Press any key to cancel setup................
No key presses were detected.  Setup will continue.
Preparing Exchange Setup

    Copying Setup Files              ......................... COMPLETED

No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check

    Organization Checks              ......................... COMPLETED

Configuring Microsoft Exchange Server

    Prepare Domain Progress          ......................... FAILED
     The following error was generated when "$error.Clear(); if ($RolePrepareAll
Domains) { initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:$Rol
eIsDatacenter; } elseif ($RoleDomain -ne $null) { initialize-DomainPermissions -
Domain $RoleDomain -CreateTenantRoot:$RoleIsDatacenter; } else { initialize-Doma
inPermissions -CreateTenantRoot:$RoleIsDatacenter; }" was run: "Length of the ac
cess control list exceed the allowed maximum.".

The Exchange Server setup operation did not complete. Visit http://support.micro
soft.com and enter the Error ID to find more information.

Exchange Server setup encountered an error.


Tried cleaning out AD, with ADSIedit (extended-rights and services) but no luck.

Any ideas?

Author Comment

ID: 26273117
I'm wondering if there's a way of cleaning out Exchange totally from AD?
LVL 12

Expert Comment

ID: 26284167
Open ADSIEDIT and under configuration container > Services>Microsoft Exchange> ORG Name> Servers

Delete the server name and reinstall

Accepted Solution

ironx earned 0 total points
ID: 26284791

I've already tryed that, and worked a few times ;)
However I've found the solution... and the major problem causing the error above.
Beside the Exchange Organization I've deleted everything connected to Exchange with ADSIedit, including Exchange Security Groups. And that was the problem, because everytime I've tried to ADprepare the installation the groups were created and added to the Domain Member computer running Exchange.
So the new and old groups filled up the ACL. causing:
"Length of the access control list exceed the allowed maximum.".

After clearing the ACL, Exchange was willing to install.

Now WinRM works too.

Thank you everyone for the help.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question