Ops Postmortem
wrong assumption. root cause. fix.
EP. 01 · Keyfactor · WinRM · PKI

Port 5986 wasn't the problem.

The firewall was open. WinRM tests passed clean. One month of troubleshooting a network that wasn't broken — because the Keyfactor iis-orchestrator was silently falling back to HTTP the entire time.

Watch on YouTube Read the breakdown Get the artifact

The assumption

Port 5986 wasn't responding to the Keyfactor iis-orchestrator. The natural read: something in the network path was wrong.

confirmed

The environment

  • Keyfactor Command with the iis-orchestrator extension.
  • Deployed in a DMZ domain to manage certificates via WinRM.
  • Version 2.6.1. Configured for HTTPS on port 5986.
  • Orchestrator logs and Windows event logs: TLS Schannel errors.
  • Keyfactor support engaged — full connectivity suite run. Everything passed.
confirmed

What everyone checked

  • Firewall team confirmed port 5986 was open.
  • Illumio confirmed no microsegmentation policy was blocking it.
  • Test-NetConnection — passed.
  • Test-WSMan — passed.
  • Invoke-Command — passed.
  • Enter-PSSession — passed.

What actually happened

One month in, a senior Keyfactor engineer looked at the case and asked for an upgrade to 3.0.0. The upgrade worked immediately.

confirmed — changelog

The bug

The 2.6.2 changelog entry reads: "Fixed error when connecting to remote computer using HTTPS; was defaulting to HTTP."

Version 2.6.1, when configured for HTTPS, silently falls back to HTTP. It was never negotiating TLS. It was never actually attempting port 5986 over HTTPS.

confirmed

Why the tests lied

Every WinRM connectivity test passed because the infrastructure was fine. The extension just wasn't using the right protocol.

The Schannel errors in the logs were a symptom of the fallback — not the cause. The software was reporting TLS errors while quietly not using TLS at all.

The fix

App failing while connectivity tests pass is a software problem, not a network problem. Before you ticket the network team, pull the changelog on whatever extension is in the path.

immediate

For this specific issue

  • Upgrade Keyfactor iis-orchestrator to 2.6.2 or later.
  • Version 2.6.2 contains the fix if a full upgrade isn't possible immediately.
  • Verify post-upgrade that the orchestrator is negotiating HTTPS — check the Keyfactor activity logs for successful certificate operations, not just connectivity.
general principle

When the wire is clean but the app isn't

  • Connectivity tests prove the network is fine — they don't prove the application is using the network correctly.
  • Check the changelog on the extension, agent, or connector before escalating to network or firewall.
  • Schannel errors that correlate with a protocol mismatch are a symptom. Find what's setting the protocol.
  • Two months of troubleshooting had a published answer. Search the vendor changelog first.

Sources

This is a firsthand operational incident. The root cause was confirmed by the Keyfactor 2.6.2 changelog entry and resolved by upgrading to 3.0.0. No speculation is presented as fact.

primary

Confirmed sources

  • Keyfactor iis-orchestrator changelog — v2.6.2 bug fix entry.
  • Firsthand operational experience — DMZ environment, Keyfactor Command deployment.
  • Keyfactor support case — full connectivity suite results.
reference

Further reading