Exchange 2010 WinRM/Kerberos Error + Autodiscover

Posted on 2012-08-22
Last Modified: 2013-03-13

After previous team members STIG'd the Exchange environment here odd things started occuring that we can't seem to nail down the root cause of...

1. Management Tool Console (only functions on 1 server all other attempts have this error):
"The attempt to connect to http://SERVER.DOMAIN/PowerShell using "Kerberos" autehtncation failed: Connecting to the remote server failed with the following error message: The WinRM Client cannot complete the operation within the time specified.  Check is the machine name is valid and is reachabvle over the network and firewall exception for Windows Remote Management Service is enabled."
        I've created a specific Firewall rule to troubleshoot this, tied it to the service winrm and allowed all connections both in coming and out going for both the main server and the server attempting to connect to it.

2. Autodiscover will NOT stay functioning... seems like as soon as I get it to work it breaks a few days later.  There was no "Require SSL" set on the Autodiscover VD and once I set that and restarted IIS I was able to test OK, three days later it stops working for some reason and there have been no changes with Internal URL, DNS, etc and no event logs.  Just pops up a server unavailable error and then crashes outlook on second attempt to launch out of office.  The original testing of Autodiscover seemed like it wasn't able to resolve any URLs on the client side, once I put on SSL require for that Virtual Directory it would immediately and for a few days then it stopped working again .

I've looked at a lot of webpages out there and haven't found any that resolve my issue.  Google doesn't even pull up any I haven't seen yet.  

I will be doing the following tool but am awaiting approval and also am doubtful that it will help since MS's whitepaper on the exchange management connection issues don't apply at all to the error above.

I have downloaded and used and while it is a great tool it hasn't helped me.  

Any help would be greatly appreciated!

Exchange 2010 SP1 (SP2 install failed during last maintenance window, awaiting a new scheduled chance)
Windows Server 2008 R2 Ent SP1
Question by:convergencetech
    LVL 19

    Expert Comment

    Stop the antivirus and reboot and check.

    Author Comment

    I have checked my WINRM config as well, here's a portion of what it says:
    MaxEnvelopeSize = 150
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
     Basic TRUE
    Digest = TRUE
    Negotitate = True
    Certificate = True
    CredSSP = False
    Default Ports:
    HTTP = 5985
    HTTPS = 5986
    TrustedHosts = *.<CHILDDOMAIN>,*<ROOTDOMAIN>
    <a few lines not applicable to this I think and since I am typing it out I'm going to skip unless needed>
    EnumerationTimeoutms = 60000
     Basic = Fase
    Negotitate = True
    Certificate = False
    CredSSP = False
    cbtHardeningLevel = Relaxed
    AllowRemoteShellAccess = true

    I did notice that the CertificateThumprint was blank and don't have another environment to look at to compare if they are all that way.

    BTW- I only have 1 live environment Nowhere to test things...

    Author Comment

    I have actually gone as far as uninstalling the AV on both the Exchange server and the client to test Autodiscover and it had no affect.
    LVL 63

    Accepted Solution

    I would suggest that you do the following:

    a. Reset the virtual directories. This is done through the management console on SP2, I think it is a new feature to SP2, so as you aren't on that you will have to do it the slow way.

    b. Get the SSL certificate rekeyed. So create a new request through the wizard in Exchange and install the response.

    The WINRM error is very common and is often an IIS issue, which can be SSL certificate related.

    Exchange 2010 SP2 might fix a lot of the issues as that effectively reinstalls the product.


    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    Join & Write a Comment

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now