Troubleshooting Failures with Remote Administration

Problem: –

Connection error to remote server

When having issue with connecting client and server using the same build. Example, A server beta X will not work with a RC1 Server build

This might be caused due to the access control lists (ACLs) problem.

Solution: –

Checking with the event viewer (eventvwr.msc) log. Events are logged with detailed error messages and a stack trace. Most of time looking at the Event Viewer often tells what the problem might be.

Connection problem with the remote server after updating wmsvc bindings.

This issue happens after updating the port on WMSVC which configured to run,

Solution: –

after updating the port on which WMSVC is configured to run, check to see if the firewall is turned on for the server. If it is, add a new exception rule for the port on which WMSVC is running (default value: 8172). Then try connecting to the server again.

If this does not solve the problem, run the following commands from cmdline:

netsh http show sslcert


netsh http show sslcert

Ensure that the port 8172 (the one on which WMSVC is running) has SSL certificate bindings. Also make sure the cert hash matches the one to which WMSVC is bound to (in the Management Service UI).

Sample output:


c:\>netsh http show sslcert

SSL Certificate bindings:


IP:port :

Certificate Hash : f06ae62a5275a818338f05ecc80707335be1e204

Application ID : {00000000-0000-0000-0000-000000000000}

Certificate Store Name: MY

Verify Client Certificate Revocation : Enabled

Verify Revocation Using Cached Client Certificate Only: Disabled

Usage Check : Enabled

Revocation Freshness Time: 0

URL Retrieval Timeout : 0

Ctl Identifier : (null)

Ctl Store Name : (null)

DS Mapper Usage : Disabled

Negotiate Client Certificate : Disabled

netsh http show urlacl


netsh http show urlacl

Ensure that the URL https://*:8172/ (the port on which WMSVC is configured to run) appears in the list of reserved URLs.

Sample output:


c:\>netsh http show urlacl

URL Reservations:


Reserved URL : https://*:8172/


Listen: Yes

Delegate: No

SDDL: D:(A;;GX;;;S-1-5-80-257763619-1023834443-750927789-3464696139-1457670516)

Use netsh commands in the previous paragraph to determine if the bindings are not correctly configured. The problem might be that the machine key does not have permissions for the administrator trying to adjust the WMSVC bindings. In that case, try the following:

  1. Take ownership of the machine key:


takeown /F %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /R

  1. Configure the ACLs of the machine key such that the administrator group has read permissions:


icacls %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /grant Administrators:(R)

  1. Reserve the port 8172 for WMSVC:


netsh http add urlacl url=https://*:8172/ User=”NT SERVICE\wmsvc”

  1. Associate the cert with the port:


netsh http add sslcert ipport= certhash=<certHash> appid={d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}

Do not want to see the prompt on the client every time you connect to the remote server?

Make sure the server uses a trusted root certificate for WMSVC. Create a trusted root certificate (if you do not already have it) and on the Management Service feature page, assign this certificate to be used by the service. This ensures that the client does not get a prompt asking if they trust the server (since the certificate is not trusted).

If all else fails:

include the eventvwr.msc log along with exception and call stack.

Here are details on how to get the exception and call stack:

  1. Attach windbg to wmsvc.exe


windbg –pn wmsvc.exe

  1. Load the sos.dll and set a break point if a managed exception happens


.loadby sos mscorwks

sxe clr

  1. Then hit go



  1. When it breaks, print the exception and the call stack and send it to




Written by: Shihan Suhail

  • Was this Helpful ?
  • yes   no
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)