Windows Gateway Errors and Solutions

Error	Solution
767cf2b6-bfc3-45a0-9490-a95cf841e693: Connecting to remote server <machine name> failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The computer <name> is unknown to Kerberos. Verify that the computer exists on the network, that the name provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct. The most common Kerberos configuration issue is that an SPN with the format HTTP/<machine name> is not configured for the target. If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit the operation. For more information, see the about_Remote_Troubleshooting Help topic.	This issue occurs with Powershell remoting as it uses Kerberos authentication. In the agent machine, start the command prompt as an administrator and execute the command `setspn -s http/machinename domainusername`. This will work in the environments where Kerberos authentication and an AD domain are set up. If no kerberos authentication is set up, then the communication must be done through WMI.
Retrieving the COM class factory for remote component with CLSID	The component used for accessing CA (certadm.dll) is not installed or has permission issues. Check if the DLL is available in C:WindowsSystem32 folder or else, install Microsoft Remote Server Administration Tools (RSAT) for the respective OS. For example, for Windows 10 https://www.microsoft.com/en-in/download/details.aspx?id=45520.
PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5) OR Error Code 0x80070005 - Access is denied	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be part of the local administrator group. Go to the Local Users and Groups and access Administrators. Check if the configured username is a part of the administrator group.
Connecting to remote server <machine name> failed with the following error message: WinRM cannot process the request. The following error with error code 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.	This issue occurs with Powershell remoting as it uses Kerberos authentication. In the agent machine, start the command prompt as an administrator and execute the command `setspn -s http/machinename domainusername`. This will work in the environments where Kerberos authentication and an AD domain are set up. If no kerberos authentication is set up, then the communication must be done through WMI.
The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic	Check if the WinRM service is running. Go to the Powershell on the target machine and run the command `WinRM QuickConfig`. Execute the command `Enable-PSRemoting -force`. Execute the command `netsh winhttp show proxy` and if a proxy is configured, it must be reset using the command `netsh winhttp reset proxy`.
41783361-015b-453f-b321-e31709b1850c: Connecting to remote server <machine name> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be a part of the local administrator group. Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group. Check if the WinRM service is running. Go to Powershell on the target machine and execute the command `WinRM QuickConfig`. Execute the command `Enable-PSRemoting -force`.
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: `winrm quickconfig`	Check if the WinRM service is running. Go to Powershell on the target machine and execute the command `WinRM QuickConfig`. Execute the command `Enable-PSRemoting -force`.
d4f98a6a-41ef-4864-9848-03a07e113d75: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)	Go to the target machine and start the RPC service if it is stopped.
727838ed-151e-46bf-883c-07ccb3a3989f: Connecting to remote server <machine name> failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be a part of the local administrator group. Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group. Check if the WinRM service is running. Go to Powershell on the target machine and execute the command `WinRM QuickConfig`. Execute the command `Enable-PSRemoting -force`.
fd3812f9-030a-421c-81e7-0e0510ce49e0: Access to the path '\\<machine name>\C$\\Windows\\Temp\\qgwwkqi3.fff' is denied.	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be a part of the local administrator group. Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.
More than 5 connections are not allowed	Run Powershell as an administrator. Check existing config: `winrm get winrm/config`. Change the settings to increase the maxshellsperUser to 100 on the remote machine where this issue is concurring. `winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}' winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}' winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'`
Connecting to remote server failed with the following error message: The WS-Management service cannot process the request. This user is allowed a maximum number of 4 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user.	Run Powershell as an administrator. Check existing config: `winrm get winrm/config`. Change the settings to increase the maxshellsperUser to 100 on the remote machine where this issue is concurring. `winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}' winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}' winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'`
Client Certificate gives Permission Denied 403 errors. This can happen in a certain environment and it's intermittent	Check if the client certificate is installed correctly by validating the chain in the Personal Store. The root of the client certificate must be available in the Trusted Root Certification Store of the server. The intermediate of the client certificate must be available in the Intermediate Certification authorities of the server. If all of the above are fine, go to the agent server and complete the following steps: MMC Add/Remove SnapIn. Select certificate. Select LocalMachine. Go to Personal Store and click on client certificate Go to chain. Export the root certificate and save as Root.cer in a location Import the Root.cer into trusted root back again If this does not solve the issue, then check if the trusted root contains and non- root certificates Click on Trusted Root store and check if there any certificate which has IssuedTo and IssuedBy different Take a backup of such certificates and move it to respective stores. If it does not solve the issue, then add the root certificate to the Client Certificate Issuers.
The permission on the certificate template do not allow the current user to enroll for this type of certificate	Go to the CA server. Open Certificate Authority and select the CA Server. Right-click on properties and select the Security tab. Check if the user used in Agent has the necessary permissions to read, issue, manage, and request certificate(s). If the user is a part of a group, then ensure that the group has the required permissions. Click on the Certificate Templates and right-click to manage the template. Right-click on the template which has the issue and navigates to security. Add permission to the user or group.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions on a request using CERTADMINLib.IenumCERTVIEWROW.Next().	In the CA server, navigate to the registry through the `regedit` command and set the following: HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDBSessionCount to 64 hex (100 Dec) HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDBMaxReadSessionCount is also set to 64 hex (100 Dec)
803f4314-3a11-486a-87e5-367b8c5c6f9f: The user name or password is incorrect.rn	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be a part of the local administrator group. Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.
42abe1ef-2bff-40e8-82e2-c97c5707a0c1: Connecting to remote server <machine name> failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.	The user name or password is incorrect.
Connecting to remote server <machine name> failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.	WinRM service is already running on the following location of the machine: C:Windowssystem32>WinRM quickconfig If WinRM is not set up to allow remote access to this machine for management, the following changes must be made: Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine. Make these changes [y/n]? y
There is not enough space on the disk	Ensure that your hard disk has enough free space.
Management Connect to remote machine <machine name> as user failed with the following error User credentials cannot be used for local connections	The username must be configured as Username@Domain. The user must have admin access to the remote/target machine or must be a part of the local administrator group. Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group. Configure the credentials in AppViewX.CertPlus.Service Logon option.
Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: WebServer1.	Use template name instead of the template display name.
Device Communication failed while using Native option to connect to CA remotely	Go to the agent machine. Open services.msc using Start > Run command on the Windows machine. Find the service AppViewXCertPlus. Right-click and view properties. Click on the log on tab. Change the option to this account and enter the user account and password information. Click on Apply and a message will popup to add the account as Log on as service. Click OK and save changes. Click on restart the service. Remove the username and password from AppViewX.
Certificate Request (CSR) is using a different account to request a certificate from CA as compared to account configured in AppViewX	Go to the agent machine. Open services.msc using Start > Run command on the Windows machine. Find the service AppViewXCertPlus. Right-click and view properties. Click on the log on tab. Change the option to this account and enter the user account and password information. Click on Apply and a message will popup to add the account as Log on as service. Click OK and save changes. Click on restart the service. Remove the username and password from AppViewX.

767cf2b6-bfc3-45a0-9490-a95cf841e693: Connecting to remote server <machine name> failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The computer <name> is unknown to Kerberos. Verify that the computer exists on the network, that the name provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct. The most common Kerberos configuration issue is that an SPN with the format HTTP/<machine name> is not configured for the target. If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit the operation. For more information, see the about_Remote_Troubleshooting Help topic.

This issue occurs with Powershell remoting as it uses Kerberos authentication.
In the agent machine, start the command prompt as an administrator and execute the command setspn -s http/machinename domainusername.
This will work in the environments where Kerberos authentication and an AD domain are set up.
If no kerberos authentication is set up, then the communication must be done through WMI.

Retrieving the COM class factory for remote component with CLSID

The component used for accessing CA (certadm.dll) is not installed or has permission issues.
Check if the DLL is available in C:WindowsSystem32 folder or else, install Microsoft Remote Server Administration Tools (RSAT) for the respective OS.

For example, for Windows 10 https://www.microsoft.com/en-in/download/details.aspx?id=45520.

PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5) OR Error Code 0x80070005 - Access is denied

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be part of the local administrator group.
Go to the Local Users and Groups and access Administrators. Check if the configured username is a part of the administrator group.

Connecting to remote server <machine name> failed with the following error message: WinRM cannot process the request. The following error with error code 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.

This issue occurs with Powershell remoting as it uses Kerberos authentication.
In the agent machine, start the command prompt as an administrator and execute the command setspn -s http/machinename domainusername.
This will work in the environments where Kerberos authentication and an AD domain are set up.
If no kerberos authentication is set up, then the communication must be done through WMI.

The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic

Check if the WinRM service is running.
Go to the Powershell on the target machine and run the command WinRM QuickConfig.
Execute the command Enable-PSRemoting -force.
Execute the command netsh winhttp show proxy and if a proxy is configured, it must be reset using the command netsh winhttp reset proxy.

41783361-015b-453f-b321-e31709b1850c: Connecting to remote server <machine name> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be a part of the local administrator group.
Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.
Check if the WinRM service is running.
Go to Powershell on the target machine and execute the command WinRM QuickConfig.
Execute the command Enable-PSRemoting -force.

The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: winrm quickconfig

Check if the WinRM service is running.
Go to Powershell on the target machine and execute the command WinRM QuickConfig.
Execute the command Enable-PSRemoting -force.

d4f98a6a-41ef-4864-9848-03a07e113d75: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

Go to the target machine and start the RPC service if it is stopped.

727838ed-151e-46bf-883c-07ccb3a3989f: Connecting to remote server <machine name> failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be a part of the local administrator group.
Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.
Check if the WinRM service is running.
Go to Powershell on the target machine and execute the command WinRM QuickConfig.
Execute the command Enable-PSRemoting -force.

fd3812f9-030a-421c-81e7-0e0510ce49e0: Access to the path '\\<machine name>\C$\\Windows\\Temp\\qgwwkqi3.fff' is denied.

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be a part of the local administrator group.
Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.

More than 5 connections are not allowed

Run Powershell as an administrator.
Check existing config: winrm get winrm/config.

Change the settings to increase the maxshellsperUser to 100 on the remote machine where this issue is concurring.

winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'
winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

Connecting to remote server failed with the following error message: The WS-Management service cannot process the request. This user is allowed a maximum number of 4 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user.

Run Powershell as an administrator.
Check existing config: winrm get winrm/config.

Change the settings to increase the maxshellsperUser to 100 on the remote machine where this issue is concurring.

winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'
winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

Client Certificate gives Permission Denied 403 errors. This can happen in a certain environment and it's intermittent

Check if the client certificate is installed correctly by validating the chain in the Personal Store.
The root of the client certificate must be available in the Trusted Root Certification Store of the server.
The intermediate of the client certificate must be available in the Intermediate Certification authorities of the server.
If all of the above are fine, go to the agent server and complete the following steps:
1. MMC
2. Add/Remove SnapIn.
3. Select certificate.
4. Select LocalMachine.
5. Go to Personal Store and click on client certificate
6. Go to chain.
7. Export the root certificate and save as Root.cer in a location
8. Import the Root.cer into trusted root back again
9. If this does not solve the issue, then check if the trusted root contains and non- root certificates
10. Click on Trusted Root store and check if there any certificate which has IssuedTo and IssuedBy different
11. Take a backup of such certificates and move it to respective stores.
12. If it does not solve the issue, then add the root certificate to the Client Certificate Issuers.

The permission on the certificate template do not allow the current user to enroll for this type of certificate

Go to the CA server.
Open Certificate Authority and select the CA Server.
Right-click on properties and select the Security tab.
Check if the user used in Agent has the necessary permissions to read, issue, manage, and request certificate(s).
If the user is a part of a group, then ensure that the group has the required permissions.
Click on the Certificate Templates and right-click to manage the template.
Right-click on the template which has the issue and navigates to security.
Add permission to the user or group.

An attempt was made to open a Certification Authority database session, but there are already too many active sessions on a request using CERTADMINLib.IenumCERTVIEWROW.Next().

In the CA server, navigate to the registry through the regedit command and set the following:

HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDBSessionCount to 64 hex (100 Dec)
HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDBMaxReadSessionCount is also set to 64 hex (100 Dec)

803f4314-3a11-486a-87e5-367b8c5c6f9f: The user name or password is incorrect.rn

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be a part of the local administrator group.
Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.

42abe1ef-2bff-40e8-82e2-c97c5707a0c1: Connecting to remote server <machine name> failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

The user name or password is incorrect.

Connecting to remote server <machine name> failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.

WinRM service is already running on the following location of the machine: C:Windowssystem32>WinRM quickconfig
If WinRM is not set up to allow remote access to this machine for management, the following changes must be made:
1. Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
2. Make these changes [y/n]? y

There is not enough space on the disk

Ensure that your hard disk has enough free space.

Management Connect to remote machine <machine name> as user failed with the following error User credentials cannot be used for local connections

The username must be configured as Username@Domain.
The user must have admin access to the remote/target machine or must be a part of the local administrator group.
Go to the Local Users and Groups and access Administrators and check if the configured username is part of the administrator group.
Configure the credentials in AppViewX.CertPlus.Service Logon option.

Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: WebServer1.

Use template name instead of the template display name.

Device Communication failed while using Native option to connect to CA remotely

Go to the agent machine.
Open services.msc using Start > Run command on the Windows machine.
Find the service AppViewXCertPlus.
Right-click and view properties.
Click on the log on tab.
Change the option to this account and enter the user account and password information.
Click on Apply and a message will popup to add the account as Log on as service. Click OK and save changes.
Click on restart the service.
Remove the username and password from AppViewX.

Certificate Request (CSR) is using a different account to request a certificate from CA as compared to account configured in AppViewX

Go to the agent machine.
Open services.msc using Start > Run command on the Windows machine.
Find the service AppViewXCertPlus.
Right-click and view properties.
Click on the log on tab.
Change the option to this account and enter the user account and password information.
Click on Apply and a message will popup to add the account as Log on as service. Click OK and save changes.
Click on restart the service.
Remove the username and password from AppViewX.