GLPI Agent remote inventory of Windows computers

pwsoe · 2022-07-04 06:20:20

Hi All,

We are running GLPI 10.0.1 on Ubuntu 22.04 LTS. Installed GLPI Inventory plugin from the market place and it's working ok. I installed GLPI agent on the same server using (glpi-agent-1.3-linux-installer.pl).

I have been trying to remote (agentless) inventory of other computers in the network. Inventorying other Linux servers using SSH works great. However, I can't inventory any Windows computers with winrm. I used my AD credentials to do the inventory tasks.

I tested the winrm connection from the server to the target computers like below and got reply 0, which means the winrm connection is ok.

$ nc -z -w1 <Windows computer IP address> 5985;echo $?

I tried all sorts of options to add those computers:

- glpi-remote add winrm://'johndoe@mydomain.com':'doejohn-password'@192.168.1.23
- glpi-remote add winrm://'johndoe':'doejohn-password'@192.168.1.23
- glpi-remote add winrm://johndoe:doejohn-password@192.168.1.23

But nothing worked and I got below error all the time.

[error] [http client] authentication required, wrong credentials
'winrm://johndoe:****@192.168.1.23' check failure: Winrm identify request failure: 401 Unauthorized

Can someone please let me know if I am doing anything wrong?

Thank you so much.

cconard96 · 2022-07-04 14:02:55

Hello,

Does the password contain special characters?
Could you try encoding the username and password, separated by a ":", as Base64 and use that instead in the URI?
That should allow the sending of special characters that would otherwise need to be escaped because they have special meanings in URIs.
For example, a username of "johndoe" and password of "doejohn-password" would be "am9obmRvZTpkb2Vqb2huLXBhc3N3b3Jk".

pwsoe · 2022-07-05 07:55:12

Hello cconrad,

The password I am using does have special characters and it's probably the reason of the complaints. I tried like you advised and got this response.

glpi-remote add winrm://J2NiYlFua1xfeglvd2Fpc29lJzonMTQ4MlRoYW90Kic=@192.168.3.51
[error] [http client] authentication required, no credentials available
[error] [http client] authentication required, no credentials available
[error] [http client] authentication required, no credentials available
[error] Winrm: Failed to request Win32_ComputerSystem: 401 Unauthorized
'winrm://J2NiYlFua1xfeglvd2Fpc29lJzonMTQ4MlRoYW90Kic=:****@192.168.3.51' check failure: Can't retrieve remote hostname

Apparently, the command is expecting in the format of username:password and doesn't respond well when I combined them into one base64 string.

I also tried things like only encoding the password part but the command treats that as a normal text and not as an encoded string as you can see below.

glpi-remote add winrm://johndoe:MTQ4MlRoYW50Kg==@10.20.200.51
[error] [http client] authentication required, wrong credentials
'winrm://johndoe:****@10.20.200.51' check failure: Winrm identify request failure: 401 Unauthorized

Is there anything else I should try?

Thank you.

cconard96 wrote:

Hello,
Does the password contain special characters?
Could you try encoding the username and password, separated by a ":", as Base64 and use that instead in the URI?
That should allow the sending of special characters that would otherwise need to be escaped because they have special meanings in URIs.
For example, a username of "johndoe" and password of "doejohn-password" would be "am9obmRvZTpkb2Vqb2huLXBhc3N3b3Jk".

Last edited by pwsoe (2022-07-05 07:56:08)

gbougard · 2022-07-05 09:31:21

Hi,

I don't see why base64 encoded fields should work with the agent. I didn't coded that support.

But you can set environment variables USERNAME & PASSWORD as reported in man page.

Anyway can you show a random password containing your special chars, maybe they have a meaning on commandline we can help you to escape. But before, just try to escape your special char with "\". Or can you try to escape like this:

git remote add 'winrm://johndoe:doejohn-password@192.168.1.23'

pwsoe · 2022-07-05 09:44:29

Hello gbougard,

The previous account I was testing has an asterisk ( * ). But testing with another account that doesn't have any special characters at all in the password failed too.

I tried these and the result is the same.

glpi-remote add 'winrm://glpitest:simplepassword@10.2.65.30' --debug

glpi-remote add winrm://glpitest:simplepassword@10.2.65.30 --debug

glpi-remote add 'winrm://glpitest:simplepassword@10.2.65.30' --debug
Current vardir: /var/lib/glpi-agent
[debug] Logger backend Stderr initialized
[debug] [http client] authentication required, submitting credentials
[error] [http client] authentication required, wrong credentials
[debug] 401 Unauthorized
'winrm://glpitest:****@10.2.65.30' check failure: Winrm identify request failure: 401 Unauthorized

I will now try setting the USERNAME & PASSWORD like you advised. Thanks.

edit: Using the USERNAME & PASSWORD as environment variables produced the same error.

gbougard wrote:

Hi,
I don't see why base64 encoded fields should work with the agent. I didn't coded that support.
But you can set environment variables USERNAME & PASSWORD as reported in ....
Anyway can you show a random password containing your special chars, maybe they have a meaning on commandline we can help you to escape. But before, just try to escape your special char with "\". Or can you try to escape like this:
git remote add 'winrm://johndoe:doejohn-password@192.168.1.23'

Last edited by pwsoe (2022-07-06 15:15:42)

sim72 · 2022-11-18 16:52:15

Following this procedure from the link bellow I've manage to to setup winrm.
hxxps://docs.vmware.com/en/vRealize-Orchestrator/8.4/com.vmware.vrealize.orchestrator-use-plugins.doc/GUID-D4ACA4EF-D018-448A-866A-DECDDA5CC3C1.html

1. Run the following command to set the default WinRM configuration values

c:\> winrm quickconfig

2. (Optional) Run the following command to check whether a listener is running, and verify the default ports.

c:\> winrm e winrm/config/listener

3. Enable basic authentication on the WinRM service

c:\> winrm get winrm/config/service

c:\> winrm set winrm/config/service/auth @{Basic="true"}

4. Run the following command to allow transfer of unencrypted data on the WinRM service

c:\> winrm set winrm/config/service @{AllowUnencrypted="true"}

5. If the channel binding token hardening level of the WinRM service is set to strict, change its value to relaxed.

c:\> winrm set winrm/config/service/auth @{CbtHardeningLevel="relaxed"}

6. Enable basic authentication on the WinRM client

# Run the following command to check whether basic authentication is allowed
c:\> winrm get winrm/config/client

# Run the following command to enable basic authentication
c:\> winrm set winrm/config/client/auth @{Basic="true"}

7. Run the following command to enable basic authentication

c:\> winrm set winrm/config/client @{AllowUnencrypted="true"}

8. If the WinRM host machine is in an external domain, run the following command to specify the trusted hosts.

c:\> winrm set winrm/config/client @{TrustedHosts="host1, host2, host3"}

9. Run the following command to test the connection to the WinRM service

c:\> winrm identify -r:http://winrm_server:5985 -auth:basic -u:admin -p:simple_password -encoding:utf-8

#Output (in my case)
IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0

Now with the right credentials I get

sudo glpi-remote add winrm://admin:simple_password@10.0.0.15 --debug

#Output

Current vardir: /var/lib/glpi-agent
[debug] Logger backend Stderr initialized
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with admin user (WSMAN)
[debug] Got message not related to our run method operation
[debug] The WS-Management service cannot process the request. The resource URI is missing or it has an incorrect format. Check the documentation or use the following command for information on how to construct a resource URI: "winrm help uris". 
[error] Winrm: Failed to request Win32_ComputerSystem: The WS-Management service cannot process the request. The resource URI is missing or it has an incorrect format. Check the documentation or use the following command for information on how to construct a resource URI: "winrm help uris". 
'winrm://admin:****@10.0.0.15' check failure: Can't retrieve remote hostname

With wrong credentials

sudo glpi-remote add winrm://admin:wrong_password@10.0.0.15 --debug

Current vardir: /var/lib/glpi-agent
[debug] Logger backend Stderr initialized
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with dmin user (WSMAN)
[debug] [http client] basic authentication failed
[error] [http client] authentication required, wrong credentials
[debug] 401 Unauthorized
'winrm://admin:****@10.0.0.15' check failure: Winrm identify request failure: 401 Unauthorized

sudo glpi-agent --version

GLPI Agent (1.4-1)
Built by Debian
Source time: 2022-07-01 09:21

pwsoe · 2022-11-21 09:22:26

Thanks. I will give it a try. There are many changes to be done for this "agentless" method and perhaps it would be simpler to just install the agent on the machine concerned.

sim72 wrote:

Following this procedure from the link bellow I've manage to to setup winrm.
hxxps://docs.vmware.com/en/vRealize-Orchestrator/8.4/com.vmware.vrealize.orchestrator-use-plugins.doc/GUID-D4ACA4EF-D018-448A-866A-DECDDA5CC3C1.html

1. Run the following command to set the default WinRM configuration values

c:\> winrm quickconfig

2. (Optional) Run the following command to check whether a listener is running, and verify the default ports.

c:\> winrm e winrm/config/listener

3. Enable basic authentication on the WinRM service

c:\> winrm get winrm/config/service

c:\> winrm set winrm/config/service/auth @{Basic="true"}

4. Run the following command to allow transfer of unencrypted data on the WinRM service

c:\> winrm set winrm/config/service @{AllowUnencrypted="true"}

5. If the channel binding token hardening level of the WinRM service is set to strict, change its value to relaxed.

c:\> winrm set winrm/config/service/auth @{CbtHardeningLevel="relaxed"}

6. Enable basic authentication on the WinRM client

# Run the following command to check whether basic authentication is allowed
c:\> winrm get winrm/config/client

# Run the following command to enable basic authentication
c:\> winrm set winrm/config/client/auth @{Basic="true"}

7. Run the following command to enable basic authentication

c:\> winrm set winrm/config/client @{AllowUnencrypted="true"}

8. If the WinRM host machine is in an external domain, run the following command to specify the trusted hosts.

c:\> winrm set winrm/config/client @{TrustedHosts="host1, host2, host3"}

9. Run the following command to test the connection to the WinRM service

c:\> winrm identify -r:http://winrm_server:5985 -auth:basic -u:admin -p:simple_password -encoding:utf-8

#Output (in my case)
IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0

Now with the right credentials I get

sudo glpi-remote add winrm://admin:simple_password@10.0.0.15 --debug

#Output

Current vardir: /var/lib/glpi-agent
[debug] Logger backend Stderr initialized
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with admin user (WSMAN)
[debug] Got message not related to our run method operation
[debug] The WS-Management service cannot process the request. The resource URI is missing or it has an incorrect format. Check the documentation or use the following command for information on how to construct a resource URI: "winrm help uris". 
[error] Winrm: Failed to request Win32_ComputerSystem: The WS-Management service cannot process the request. The resource URI is missing or it has an incorrect format. Check the documentation or use the following command for information on how to construct a resource URI: "winrm help uris". 
'winrm://admin:****@10.0.0.15' check failure: Can't retrieve remote hostname

With wrong credentials

sudo glpi-remote add winrm://admin:wrong_password@10.0.0.15 --debug

Current vardir: /var/lib/glpi-agent
[debug] Logger backend Stderr initialized
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with dmin user (WSMAN)
[debug] [http client] basic authentication failed
[error] [http client] authentication required, wrong credentials
[debug] 401 Unauthorized
'winrm://admin:****@10.0.0.15' check failure: Winrm identify request failure: 401 Unauthorized

sudo glpi-agent --version

GLPI Agent (1.4-1)
Built by Debian
Source time: 2022-07-01 09:21

cmfz · 2023-01-26 19:04:24

i'm having the same 401 Unauthorized and wrong credentials with the --debug
i've enable basic authentication on winrm client and server but still having the same error, trying the env variable put not successful not sure of the command if we should put %PASSWORD% ou remove the field of the command, but tried several ways.
I was testing with agent 1.5 nightly build in a windows machine.

FredericR · 2023-02-16 05:40:01

I have the issue atm and just can't figure how to fix it. Nothing seems to work with winrm

gbougard · 2023-02-16 09:49:39

Hello there,
can you try with the latest glpi-agent nightly build ? There were some fixes since 1.4 which may help you.
See: https://nightly.glpi-project.org/glpi-agent/

FredericR · 2023-02-28 05:29:16

I've tried but it can't use the XML schema as the file has been deleted from microsoft website...

Current vardir: D:/APP/nGLPI-Agent/var
[debug] Logger backend Stderr initialized
[debug2] [http client] Using Compress::Zlib for compression
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with localadmin user (WSMAN)
[debug2] Identify response: Microsoft Corporation - OS: 10.0.19043 SP: 0.0 Stack: 3.0
[debug2] Looking for HKEY_LOCAL_MACHINE/Software/GLPI-Agent/Remote/deviceid registry value via winrm
[debug2] Requesting enumerate URL: http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/win32_computersystem
[error] Winrm: Failed to request Win32_ComputerSystem:
'winrm://localadmin:****@myremotepc' check failure: Can't retrieve remote hostname

Last edited by FredericR (2023-02-28 06:02:18)

gbougard · 2023-02-28 11:17:48

Hi FredericR,
this better sounds like a bug. The agent is not intended to make request against microsoft domain.

gbougard · 2023-02-28 12:19:40

FredericR, I created the #352 issue on GH for this problem to not miss it for next releases.

I see in your output you installed in a dedicated folder. Can you explain which build you installed and how ? Did you installed the portable version or just defined another installation folder ?
Also show the command you used ? And did you use glpi-remote script to setup the remote computer target ?

You can directly update the GH issue if you want to help there.

Last edited by gbougard (2023-02-28 12:20:32)

cmfz · 2023-07-13 16:50:47

trying with lastest 1.5 and nightly 1.6 but keep getting the same results, wrong credentials

glpi-remote.bat add winrm://%USERNAME%:%PASSWORD%@<hostname> --target server0 --debug --debug
Current vardir: ******/var
[debug] Logger backend Stderr initialized
[debug2] [http client] Using Compress::Zlib for compression
[debug] [http client] authentication required, submitting credentials
[debug] [http client] authentication required, trying basic with <domain>%5C%5C<username> user (WSMAN)
[debug] [http client] basic authentication failed
[error] [http client] authentication required, wrong credentials
[debug] 401 Unauthorized
'winrm://<username>:****@<hostname>' check failure: Winrm identify request failure: 401 Unauthorized

tried username with both domain\username and only username, also hostname with ip address same results, if put with the domain the target computer event viewer get %5 in user account nstead of the slash \ if we put double \\ shows %5%5 without domian keeps saying wrong credentials, if tested with:

winrs -r:hostname -u:username cmd.exe

it works, wvend not specifieng the domain

i'm testing from a windows 10 to another windows 10 in the same domain.
We have implemented fresh GLPI 10, updated now to 10.0.9 and still not behing able to do remote native inventory (agent-less)
the glpi-agent in the local computer works fine, but we testing so we can inventory all the machines from a server without installing the agent on each machine.
Do you thin if we use a linux client to connecto to the remote windows machines will be better?

gbougard · 2023-07-13 19:41:56

Hi cmfz,

you must use a local account. Domain users are not supported.

Yes, you can try with glpi-agent on linux, this is supported.

GuidoLondon · 2024-04-16 14:13:31

Has this ever been solved? We are seeing the exact same thing when trying to add a Windows machine.

Winrm identify request failure: 401 Unauthorized

Forum GLPI-Project

Announcement

#1 2022-07-04 06:20:20

GLPI Agent remote inventory of Windows computers

#2 2022-07-04 14:02:55

Re: GLPI Agent remote inventory of Windows computers

#3 2022-07-05 07:55:12

Re: GLPI Agent remote inventory of Windows computers

#4 2022-07-05 09:31:21

Re: GLPI Agent remote inventory of Windows computers

#5 2022-07-05 09:44:29

Re: GLPI Agent remote inventory of Windows computers

#6 2022-11-18 16:52:15

Re: GLPI Agent remote inventory of Windows computers

#7 2022-11-21 09:22:26

Re: GLPI Agent remote inventory of Windows computers

#8 2023-01-26 19:04:24

Re: GLPI Agent remote inventory of Windows computers

#9 2023-02-16 05:40:01

Re: GLPI Agent remote inventory of Windows computers

#10 2023-02-16 09:49:39

Re: GLPI Agent remote inventory of Windows computers

#11 2023-02-28 05:29:16

Re: GLPI Agent remote inventory of Windows computers

#12 2023-02-28 11:17:48

Re: GLPI Agent remote inventory of Windows computers

#13 2023-02-28 12:19:40

Re: GLPI Agent remote inventory of Windows computers

#14 2023-07-13 16:50:47

Re: GLPI Agent remote inventory of Windows computers

#15 2023-07-13 19:41:56

Re: GLPI Agent remote inventory of Windows computers

#16 2024-04-16 14:13:31

Re: GLPI Agent remote inventory of Windows computers

Board footer