powershell-scripts/winrm-https/winrm-ca-scripts/TROUBLESHOOT-CONNECTION.txt

================================================================================
TROUBLESHOOTING CONNECTION ISSUES
================================================================================

Error: "WinRM cannot complete the operation. Verify that the specified
       computer name is valid, that the computer is accessible over the
       network..."

This means WinRM can't reach the remote PC. Follow these steps:

================================================================================
STEP 1: VERIFY NETWORK CONNECTIVITY
================================================================================

On YOUR computer (H2PRFM94):

A. Test DNS Resolution
──────────────────────────────────────────────────────────────
PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com

Expected: Should return IP address (e.g., 10.134.48.255)

If fails:
  - Try with just hostname: Resolve-DnsName G9KN7PZ3ESF
  - Try with IP directly: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986


B. Test Basic Ping
──────────────────────────────────────────────────────────────
PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2

Expected: Should get replies

If fails:
  - PC might be blocking ICMP (that's OK, continue)
  - Try: Test-Connection G9KN7PZ3ESF
  - Try IP: Test-Connection 10.134.48.255


C. Test Port 5986 Connectivity
──────────────────────────────────────────────────────────────
PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986

Expected:
  ComputerName     : g9kn7pz3esf.logon.ds.ge.com
  RemoteAddress    : 10.134.48.255
  RemotePort       : 5986
  InterfaceAlias   : Ethernet
  SourceAddress    : 10.x.x.x
  TcpTestSucceeded : True

If TcpTestSucceeded = False:
  - Port 5986 is blocked by firewall
  - Continue to STEP 2


================================================================================
STEP 2: CHECK FIREWALL ON REMOTE PC (G9KN7PZ3ESF)
================================================================================

ON THE REMOTE PC (G9KN7PZ3ESF):

A. Check Windows Firewall Rule
──────────────────────────────────────────────────────────────
PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Format-List

Expected:
  DisplayName : WinRM HTTPS-In
  Enabled     : True
  Direction   : Inbound
  Action      : Allow

If Enabled = False:
  PS> Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"


B. Check Firewall Profile
──────────────────────────────────────────────────────────────
PS> Get-NetFirewallProfile | Select-Object Name, Enabled

If firewall is ON for Public profile, the rule might not apply.

Fix:
  PS> Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any


C. Verify Port 5986 is Listening
──────────────────────────────────────────────────────────────
PS> netstat -an | findstr :5986

Expected:
  TCP    0.0.0.0:5986           0.0.0.0:0              LISTENING
  TCP    [::]:5986              [::]:0                 LISTENING

If not listening:
  - WinRM listener not created properly
  - Re-run Deploy-PCCertificate.bat


D. Check WinRM Service
──────────────────────────────────────────────────────────────
PS> Get-Service WinRM | Select-Object Status, StartType

Expected:
  Status  : Running
  StartType : Automatic

If not running:
  PS> Start-Service WinRM
  PS> Set-Service WinRM -StartupType Automatic


================================================================================
STEP 3: CHECK NETWORK FIREWALL (Between PCs)
================================================================================

If local firewalls are OK but still can't connect:

A. Check if Corporate Firewall Blocks Port 5986
──────────────────────────────────────────────────────────────
Some networks block high ports or only allow specific ports.

Test from YOUR computer:
  PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986

If TcpTestSucceeded = False:
  - Network firewall is blocking port 5986
  - Contact network admin to allow TCP 5986 between management PC and shopfloor PCs


B. Check if Same Subnet
──────────────────────────────────────────────────────────────
WinRM public profile default only allows same subnet.

On YOUR computer:
  PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}

On REMOTE PC:
  PS> Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4' -and $_.IPAddress -notlike '169.*'}

Compare:
  - Your IP: 10.x.y.z
  - Remote IP: 10.134.48.255

If different subnets and Public profile:
  - Either change network profile to Private/Domain
  - Or configure firewall to allow remote subnet


================================================================================
STEP 4: ALTERNATIVE - USE IP ADDRESS INSTEAD OF FQDN
================================================================================

Sometimes DNS or certificate CN issues prevent FQDN connections.

From YOUR computer, try with IP:
──────────────────────────────────────────────────────────────

PS> Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986

If this works but FQDN doesn't:
  - DNS issue, use IP address for now
  - Certificate CN might not match (but should work with proper CA)


================================================================================
STEP 5: CHECK YOUR COMPUTER'S WINRM CLIENT
================================================================================

On YOUR computer (H2PRFM94):

A. Enable WinRM Client
──────────────────────────────────────────────────────────────
PS> Enable-PSRemoting -Force

This configures YOUR computer as WinRM client.


B. Check WinRM Service on YOUR Computer
──────────────────────────────────────────────────────────────
PS> Get-Service WinRM

Expected: Running

If not:
  PS> Start-Service WinRM


C. Set Trusted Hosts (if needed)
──────────────────────────────────────────────────────────────
Only needed if not using HTTPS with proper certificates.

Check current:
  PS> Get-Item WSMan:\localhost\Client\TrustedHosts

If blank and having issues:
  PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*.logon.ds.ge.com" -Force


================================================================================
STEP 6: VERIFY CA CERTIFICATE ON YOUR COMPUTER
================================================================================

On YOUR computer (H2PRFM94):

A. Check if CA is Installed
──────────────────────────────────────────────────────────────
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
    $_.Subject -like "*Shopfloor*"
}

Expected: Should show "CN=Shopfloor WinRM CA"

If NOT found:
  PS> Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" `
          -CertStoreLocation Cert:\LocalMachine\Root


B. Verify Certificate is Trusted
──────────────────────────────────────────────────────────────
PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
    $_.Subject -like "*Shopfloor*"
} | Format-List Subject, Thumbprint, NotAfter

Make sure:
  - Subject matches: CN=Shopfloor WinRM CA
  - NotAfter is in the future
  - No errors


================================================================================
STEP 7: DIAGNOSTIC COMMANDS CHECKLIST
================================================================================

Run these in order on YOUR computer:

1. Test DNS:
   PS> Resolve-DnsName g9kn7pz3esf.logon.ds.ge.com

2. Test Ping:
   PS> Test-Connection g9kn7pz3esf.logon.ds.ge.com -Count 2

3. Test Port:
   PS> Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986

4. Check CA installed:
   PS> Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Shopfloor*"}

5. Test WinRM:
   PS> Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986


Run these on REMOTE PC (G9KN7PZ3ESF):

1. Check firewall:
   PS> Get-NetFirewallRule -DisplayName "WinRM HTTPS-In"

2. Check port listening:
   PS> netstat -an | findstr :5986

3. Check service:
   PS> Get-Service WinRM

4. Check listener:
   PS> winrm enumerate winrm/config/listener


================================================================================
COMMON SOLUTIONS
================================================================================

Issue: TcpTestSucceeded = False
Solution:
  1. On remote PC: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
  2. On remote PC: Enable-NetFirewallRule -DisplayName "WinRM HTTPS-In"
  3. Contact network admin if corporate firewall blocks port 5986

Issue: Certificate errors
Solution:
  1. Install CA on your computer: Import-Certificate -FilePath "Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root
  2. Verify CA is in Trusted Root

Issue: DNS not resolving
Solution:
  1. Use IP address: Test-WSMan -ComputerName 10.134.48.255 -UseSSL -Port 5986
  2. Or use short hostname: Test-WSMan -ComputerName G9KN7PZ3ESF -UseSSL -Port 5986

Issue: Different subnets
Solution:
  1. Change firewall rule profile: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any
  2. Or configure firewall to allow your management PC's IP

================================================================================
QUICK FIX COMMANDS
================================================================================

On REMOTE PC (G9KN7PZ3ESF):
──────────────────────────────────────────────────────────────
# Enable firewall rule for all profiles
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -Profile Any -Enabled True

# Restart WinRM service
Restart-Service WinRM


On YOUR computer (H2PRFM94):
──────────────────────────────────────────────────────────────
# Enable WinRM client
Enable-PSRemoting -Force

# Install CA certificate (if not already)
Import-Certificate -FilePath "C:\path\to\Shopfloor-WinRM-CA-*.cer" -CertStoreLocation Cert:\LocalMachine\Root

# Test connection
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986

================================================================================