Connecting to Remote Server Failed the WinRM Client Cannot Process the Request

The WinRM client cannot process the request

Enter-PSSession -ComputerName 10.0.2.4 -Credential 10.0.2.4\psadmin

In some cases, you got the below error when run a PowerShell command remotely. Even you’ve enabled PSRemoting on the local and remote hosts.

PS C:\Windows\system32> Enter-PSSession -ComputerName 10.0.2.4 -Credential 10.0.2.4\psadmin
Enter-PSSession : Connecting to remote server 10.0.2.4 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not
be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 10.0.2.4 -Credential 10.0.2.4\psadmin
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (10.0.2.4:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed.

When we do the tests from local machine to the remote machine. It looks like everything is OK.

PS C:\Windows\system32> Test-NetConnection 10.0.2.4 -Port 5985

ComputerName     : 10.0.2.4
RemoteAddress    : 10.0.2.4
RemotePort       : 5985
InterfaceAlias   : Ethernet
SourceAddress    : 10.0.2.15
TcpTestSucceeded : True

PS C:\Windows\system32> Test-WSMan 10.0.2.4

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

We do a check on the remote host, the WinRM service is running and the remote host is configured to receive remote commands.

PS C:\> Get-Service -Name "*WinRM*"

Status   Name               DisplayName
------   ----               -----------
Running  WinRM              Windows Remote Management (WS-Manag...

PS C:\> New-PSSession

 Id Name            ComputerName    ComputerType    State         ConfigurationName     
 -- ----            ------------    ------------    -----         -----------------     
  1 WinRM1          localhost       RemoteMachine   Opened        Microsoft.PowerShell

The solution

You got this because the ComputerName parameter of the New-PSSession, Enter-PSSession and Invoke-Command cmdlets accepts an IP address as a valid value. However, because Kerberos authentication doesn’t support IP addresses. When you specify an IP address, NTLM authentication is used.

PS C:\Windows\system32> Get-ChildItem -Path WSMan:\localhost\Service\Auth\

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   Basic                                          false
System.String   Kerberos                                       true
System.String   Negotiate                                      true
System.String   Certificate                                    false
System.String   CredSSP                                        false
System.String   CbtHardeningLevel                              Relaxed

To support NTLM authentication, you must meet the following requirements:

Configure the computer for HTTPS transport or add the IP addresses of the remote computers to the TrustedHosts list on the local computer.
Use the Credential parameter in all remote commands. This is required even when you connect as the current user.

By default, the TrustedHosts list is empty on every computer. So, it does not allow to sending commands to any remote computer which is not in domain. You can get the list with command below:

PS C:\> Get-Item WSMan:\\localhost\client\TrustedHosts

WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts

Add remote ComputerName or IP to TrsutedHosts list using Set-Item cmdlet as shown below:

PS C:\> Set-Item WSMan:\\localhost\client\TrustedHosts -Value '10.0.2.6' -Concatenate -Force

PS C:\> Get-Item WSMan:\\localhost\client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value
----            ----                           -------------   -----
System.String   TrustedHosts                                   10.0.2.6

That the –Concatenate parameter is mandatory if you want to add multiple conputers, otherwise every time you run the Set-Item command, it will keep overwriting the old values in TrustedHosts list. The -Force parameter is however optional, which is used to suppress the confirmation (Yes/No) prompt.

You can also allow remote connection to all computers (usually, it is not recommended as one of the major disadvantages of NTLM authentication is vulnerable to various malicious attacks:

Set-Item WSMan:\\localhost\client\TrustedHosts -Value * -Force

Once done, you can try to connect to the remote host with PSRemoting to verify it works.

PS C:\Windows\system32> Enter-PSSession -ComputerName 10.0.2.6 -Credential 10.0.2.6\admin
[10.0.2.6]: PS C:\Users\admin\Documents> Restart-Computer -Force
[10.0.2.6]: PS C:\Users\admin\Documents>