AWS SMS Connector (Hyper-V) Registration Error

Scenario:
Lets take an example where the AWS SMS connector’s (Hyper-V) self signed certificate is expired and although its recommended to re-register the SMS connector after running the SMS configuration PowerShell script, but still post the successful running of the script still re-registration is not complete and getting the below error message.

Please validate and trust all certificates before proceeding.

If we select option “Ignore minor errors” option then it was throwing below error and we were not able to re-register the SMS Connector for Hyper-V.

Error: VM Manager login failed: Connection reset.

Troubleshooting:
1. Initially we ran SMS Connector configuration PowerShell script “aws-sms-hyperv-setup.ps1” on the Hyper-V host and tried to re-register the SMS Connector but it didn’t help.

2. The we researched further and found it could something related to WinRM service itself or WinRm HTTP/HTTPS listener configuration issue on the Hyper-V host and since SMS Connector uses WinRM HTTPS Listener to communicate with Hyper-V host over port 5986 so we should once verify this configuration.

3. First we verified if WinRM service is running and listening, the below result conforms that WinRM HTTP/HTTPS both listeners are there and WinRM service is running on the Hyper-V host.

C:\Users\administrator>netstat -ano | findstr 5985
 TCP    0.0.0.0:5985   0.0.0.0:0   LISTENING   4
 TCP    [::]:5985      [::]:0      LISTENING   4

C:\Users\administrator>netstat -ano | findstr 5986
 TCP    0.0.0.0:5986    0.0.0.0:0  LISTENING   4
 TCP    [::]:5986       [::]:0     LISTENING   4

4. We further verified WinRM listener’s configuration on the Hyper-V host by running below two WinRM commands.

PS C:\Users\administrator> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.0.0.10, 10.0.1.10, 127.0.0.1, 169.254.4.146, 170.25.16.88, ::1, 2002:aa19:1058::aa19:1058, fe80::5e
fe:10.0.0.10%17, fe80::5efe:10.0.1.10%25, fe80::5efe:169.254.4.146%18, fe80::200:5efe:170.25.16.88%16, fe80::1c17:f08d:8
162:4d5e%22, fe80::78c6:12ba:725e:47b8%27, fe80::b8fd:66a4:36a7:4b03%31, fe80::dcad:d9a0:c847:58e0%33

Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = GBMVIRN10
Enabled = true
URLPrefix = wsman
CertificateThumbprint = D5D2A18D6DB0349A860496AD940730B9814B7BF9
ListeningOn = 10.0.0.10, 10.0.1.10, 127.0.0.1, 169.254.4.146, 172.25.16.88
fe:10.0.0.10%17, fe80::5efe:10.0.1.10%25, fe80::5efe:169.254.4.146%18

PS C:\Users\administrator> Winrm get http://schemas.microsoft.com/wbem/wsman/1/config
Config
MaxEnvelopeSizekb = 8192
MaxTimeoutms = 600000
MaxBatchItems = 20
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = false
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-41034656-1159472928-22901797-500)(A;;GXGR;;;S-1-5-21-41034
656-1159472928-22901797-36923)(A;;GA;;;S-1-5-21-1824572269-3140542921-2898930927-1009)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD
)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 600000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30

5. If we look at the above result, we see that WinRM HTTPS listener is tied with SSL certificate having thumbprint “D4D8B0349A860496AD94571214B5BF8”.

6. We went ahead verified the from MMC—->Certificates—->Computer—–>Personal on the Hyper-V host but we didn’t find the certificate with this thumbprint, so it seems somehow the self-signed certificate wasn’t being created and configured even after running “aws-sms-hyperv-setup.ps1” script.

7. Then we deleted the existing WinRM HTTPS listener using below command.

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

8. Then we created a self-signed certificate for Hyper-V host and imported in Computer’s Personal and Trusted Certificate store.
https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

9. Then we ran below command to create WinRM HTTPS listener and bind the above self-signed certificate with listener.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS ‘@{Hostname=”YOUR-Hyper-VHost-FQDN”; CertificateThumbprint=”cert_thumbprint_For_above_SMSConnector_cert”}’

10.  After performing above steps, we were successfully able to re-register the SMS Connector on the Hyper-V host and customer initiated the replication jobs.

11. Please note this same troubleshooting steps might help fixing below error as well. So just in case if you are seeing below error it will be good to follow this above troubleshooting.

Error: VM Manager login failed: Connection refused.

There can be other reasons for same issue but in my case this helped me fixing the issue. I’m sharing here so that it can help you in case if you face similar issue in your environment.

1 thought on “AWS SMS Connector (Hyper-V) Registration Error”

Leave a Reply

Your email address will not be published. Required fields are marked *