Cannot launch winrm quickconfig on Windows 2003 R2 Server

I am unable to run winrm qc on my W2K3 R2 server. The WinRM service is running. When I launch quickconfig I get the following error: Error number: -2144108387 0x8033809D

The whole command line error output is:

PS C:\Documents and Settings\admin314> winrm qc  
WinRM already is set up to receive requests on this machine.  
WSManFault  
Message = WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.  
Possible causes are:  
-The user name or password specified are invalid.  
-Kerberos is used when no authentication method and no user name are specified.  
-Kerberos accepts domain user names, but n开发者_开发知识库ot local user names.  
-The Service Principal Name (SPN) for the remote computer name and port does not exist.  
-The client and remote computers are in different domains and there is no trust between the two domains.  
After checking for the above issues, try the following:  
-Check the Event Viewer for events related to authentication.  
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.  
Note that computers in the TrustedHosts list might not be authenticated.  
-For more information about WinRM configuration, run the following command: winrm help config.  

Error number:  -2144108387 0x8033809D  
An unknown security error occurred.  

The solution is in adding correct SPNs (Service Principal Names). I was missing the HTTP/server1 SPN. So I downloaded the Microsoft Windwos Server 2003 Support Pack and used the "setspn.exe".

First of all I used the list option (setspn.exe -L server1) to see the SPNs (where I discovered that HTTP is missing) and then I added the HTTP option for the desired server (setspn.exe -A HTTP/Server1 Server1 and setspn.exe -A HTTP/Server1.cz Serve1

Hope it will help somebody.

Assuming that you are using PowerShell 2.0, can you try Enable-PSRemoting -Force from an elevated PowerShell console? This performs WinRM quick config and tell you more about the error, if any.

I have seen it fail if the firewall is enabled and running. You can disable the firewall and run winrm qc or do the following manual commands

sc config "WinRM" start= auto

net start WinRM

winrm create winrm/config/listener?Address=*+Transport=HTTP

netsh firewall add portopening TCP 80 "Windows Remote Management"

If you execute this command in Powershell console:

PS C:\Windows\system32> winrm quickconfig

you can get this error:

WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred.

And you can get this error number:

Error number:  -2144108387 0x8033809D 
An unknown security error occurred.

This problem occurs because two or more computer accounts have the same service principal name (SPN) registered. Event ID 11 is logged when the Key Distribution Center (KDC) receives a ticket request, and the related SPN exists more than one time when it is checked on the global catalog (GC) for forest wide verification.

Recommended Actions
Check that WinRM is installed and running on server %server. For more information use the command "winrm helpmsg hrresult".

The following event may also be logged in the System event log (eventvwr):

Log Name: System  
Source:            Microsoft-Windows-Security-Kerberos   
Date:                23/04/2009 2:08:30 PM  
Event ID:         4  
Task Category:           None  
Level:               Error  
Keywords:        Classic  
User:                N/A  
Computer:      %server%.  
Description:  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server %server%. The target name used was HTTP/%server%.
This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. 
Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. 
Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.  

Keep in mind what you are doing, opening WinRM via HTTP/HTTPS. Check what your server is configured for (80 or 443, or both) and review the SPN's, and add what is needed.

You can download "Microsoft Windows Server 2003 Support Pack" and used the "setspn.exe" command for adding correct SPNs (Service Principal Names).

To review (read only)

setspn.exe -L MACHINENAME  

Review the results for HTTP/HTTPS entries (or any duplicates as well) where you discovered that HTTP is missing.

Add missing names:

setspn -A HTTP/machinename  
setspn -A HTTP/machinename.fqdn.com  
setspn -A HTTPS/machinename  
setspn -A HTTPS/machinename.fqdn.com  

They reattempt your quickconfig.

More references:
http://blog.chrislehr.com/2012/06/winrm-quickconfig-failing-with.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;970923

On the off chance anyone has this problem on a Server 2012 or Server 2012 R2 box where they have had to specifically set an IP inclusion list for HTTP, i.e:

netsh http add iplisten 192.168.1.1

you'll need to also add

netsh http add iplisten 127.0.0.1

Posting this here as this page was the 4th result I got when Googling the 'winrm qc' error number I got (Error number: -2144108526 0x80338012) and hoping it saves someone else time in the future.