I have configured WinRM at Windows Server 2012 machine using the script suggested by Ansible team: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
At Ansible control machine (Linux box), the configuration looks like this:
ansible_user: Administrator
ansible_password: PASS
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
Trying to ping Windows machine I still get:
10.2.75.142 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
User credentials are working credentials of local Windows user, belonging to Administrator group. Am I still missing some config on either side?
I've had similar problem. Through Ansible I was getting:
the specified credentials were rejected by the server
but when executing command from windows machine using winrs it was fine. For example:
winrs -r:https://myserver.com -u:Administrator -p:PASS ipconfig
was going through.
Unfortunately didn't find any solution to have Ansible running with basic authentication. Workaround was to use NTLM authentication. Just added
ansible_winrm_transport: ntlm
to control machine configuration and it works fine ever since.
Related
Seeing error credssp: Bad HTTP response returned from server. Code 502
Ansible is installed on Linux machine & I am trying to establish connection to Windows client machine
Have set below variables as per : https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html
ansible_user: <uname>
ansible_password: <pass>
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp
Running playbook is resulting in below error. Could you give any pointers to check this further to get resolution on it?.
fatal: [<hostname>]: UNREACHABLE! => {"changed": false, "msg": "credssp: Bad HTTP response returned from server. Code 502", "unreachable": true}
Adding details on client setup, which looks ok, following along : https://docs.ansible.com/ansible/latest/os_guide/windows_setup.html#winrm-listener
PS C:\Windows\system32> (Get-Service "WinRM").Status
Running
Below indicates : HTTP: Enabled
PS C:\Temp\Ansible> .\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Disabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
Exec policy set to Unrestricted as well.
PS C:\Temp\Ansible> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Unrestricted
Powershell version looks ok : 5.x :
PSVersion 5.1.19041.1682
And quick check on http link per below is working on windows client as well. Issue I am seeing only from Linux machine from which I am trying to connect/run playbook.
winrs -r:http://<hostname>:5985/wsman -u:<user> -p:<pass> ipconfig
I assume upon the chosen authentication method
ansible_winrm_transport: credssp
and the missing info about the CredSSP on the Windows side in the question and the 502 error, that this might be caused, because CredSSP ist not enabled.
As stated in the Ansible WinRM Module Documentation, if the selected authentication method is CredSSP, it needs to be enabled:
CredSSP authentication is not enabled by default on a Windows host,
but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
According to the WSMAN Documentation the state of the CredSSP can be checked with:
Get-WSManCredSSP
Possible results:
If the computer is configured for CredSSP, this is the output:
The machine is configured to allow delegating fresh credentials to the
following target(s): wsman/server02.accounting.fabrikam.com
If the computer is not configured for CredSSP, this is the output:
The machine is not configured to allow delegating fresh credentials.
first make sure that the user you are trying to connect with has admin rights on the remote computer.
If the user does, maybe it's a problem with the proxy.
I once had a similar problem and simply running this command on the remote server fixed it:
netsh winhttp reset proxy
you can read more about netsh here:
WINHTTP - netsh
Hope that helps, good luck !
Since my company needs time to consider security issues with WinRM which is used by Ansible to manage windows hosts I was thinking about doing it via Cygwin ssh connection which we already have installed.
Is this even possible?
I tried to setup env variables like that:
ansible_connection: ssh
ansible_shell_type: cmd
End I'm trying to create a folder with the folliwng playbook:
- name: Ensure C:\Temp exists
win_file:
path: C:\Temp
state: directory
Gathering Facts is succesfull, but I'm getting: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: The system cannot find the path specified"}
In theory, Ansible, since v.2.8, supports doing connections through SSH, new windows even come with a Microsoft fork of OpenSSH.
I am having trouble to make it work (that's how I ended up here), but I recommend you to take a look to the following links:
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#windows-ssh-setup
If you can do SSH using the PK, but you get an unreachable from Ansible, you may need to check also this:
How to fix "Unreachable" when ping windows with ansible over ssh?
For Windows Server 2019/10's OpenSSH configuration:
https://www.youtube.com/watch?v=Cs3wBl_mMH0
Setting up OpenSSH for Windows using public key authentication
When I tried to ping my Windows instance using ansible windows -i hosts.ini -m win_ping, I got the following error:
54.197.197.91 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
My hosts.ini file looks like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass=MyPassword123!
ansible_ssh_port=5985
ansible_connection=winrm
To solve that, I have done this :
ansible-vault create secret.yml
and entered my password there like this:
win_initial_password: MyPassword123!
Then, my hosts.ini file looked like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass={{ win_initial_password }}
ansible_ssh_port=5985
ansible_connection=winrm
When I tried pinging, I got the below error :
54.197.197.91 | FAILED! => {
"failed": true,
"msg": "the field 'password' has an invalid value, which appears to include a variable that is undefined. The error was: 'win_initial_password' is undefined"
}
Where am I going wrong?
I solved it by changing these :
ansible_ssh_port=5986
ansible_winrm_server_cert_validation=ignore
This worked.
As I was following an Ansible example similar to the original post, the accepted answer didn't work for me, the following got it working
Note: This is sending password in plain text so don't use in production
On the target machine, run a powershell with admin rights and enter these commands:
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
Also verify your firewall is configured correctly to allow the necessary ports through (TCP/5985, TCP/5986)
Sources:
http://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#authentication-options
https://github.com/diyan/pywinrm/issues/114
Still was an issue for me. My solution was to reinstall python-pip packages related to winrm from scratch. I had to use official Ansible documentation. As per documentation:
apt-get install python-pip git libffi-dev libssl-dev -y
pip install ansible pywinrm
Port number for Windows is 5986 so you var configuration should be ansible_ssh_port: 5986
I came across this same issue even with "AllowUnencrypted" set to true. I observed that win_ping was working for IEUser that was added to Administrator group but failing with
windows-server | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
for test-user that was not in Administrator group.
So I added the test-user to Administrator group and the issue got resolved.
I've googled a lot and finally the below configuration worked for me. I've added ntlm to my config file.
ansible_user: user#DOMAIN.COM
ansible_password: password
ansible_connection: winrm
ansible_ssh_port: 5986
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
Windows:
I have installed UBUNTU18-LTE in windows and face a lot of issues. So sharing my experience with the same error. Hope this will help.
The user must be local. Guys remember the user(ansible) must be a local(host - 192.168.11.22) admin user else no use of the below process.
Hosts file example.
cat /etc/ansible/hosts
[win]
192.168.11.22
[win:vars]
ansible_connection=winrm
ansible_user=ansible # Local admin user of host machine 192.168.11.22
ansible_password=ansible123
ansible_winrm_server_cert_validation=ignore
ansible_winrm_trasport=basic
ansible_port=5985 #HTTP
Run the below command on host PowerShell windows.
winrm configsddl default #Give permission to ansible user
Post step 2 configuration execute below 2 commands on host PowerShell.
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
The Other use-full PowerShell commands to test the winrm connection.
winrm enumerate winrm/config/Listener.
winrm get winrm/config
WinRM quickconfig #Check winrm service is running
winrs -r:http://hostservername:5985/wsman -u:RDPusername -p:RDPpassword ipconfig/all
Every time I try running a playbook to automate some installations in Windows Server, my Windows Remote Host seems to be unreachable.
Here, I am trying to install IIS Server and my playbook looks like this :
---
- hosts : windows
tasks :
- name : Install Microsoft IIS
win_feature :
name : Web-Server
state : present
And the error is :
fatal: [ec2-54-197-197-91.compute-1.amazonaws.com]: UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='ec2-54-197-197-91.compute-1.amazonaws.com', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x1b11310>, 'Connection to ec2-54-197-197-91.compute-1.amazonaws.com timed out. (connect timeout=30)'))",
"unreachable": true
}
But, now I came to know that, to run playbooks for Windows, I need to have winrm installed on my control node.
I have done the following :
pip install "pywinrm>=0.1.1"
I have added the public ip of Windows Instance and my hosts file looks like:
[local]
127.0.0.1
[aws]
ec2-54-152-85-197.compute-1.amazonaws.com
[windows]
ec2-54-197-197-91.compute-1.amazonaws.com
Then, I created a directory "group_vars" in /etc/ansible, and in that a file windows.yml which reads :
ansible_user: Administrator
ansible_password: SecretPasswordGoesHere
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Please let me know where I am going wrong.
(most likely, because you have not mentioned it)
You need to configure remote commands in PowerShell on your Windows instance (as described in the Windows system prep section). Execute the following (with administrator permissions):
iwr https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -UseBasicParsing | iex
Before, depending on your settings, you might also need to enable the PowerShell execution policy, set the network interface to private network (mind the InterfaceAlias value below) and enable PowerShell remoting.
Set-ExecutionPolicy Unrestricted -Force
Set-NetConnectionProfile -InterfaceAlias Ethernet0 -NetworkCategory Private
Enable-PSRemoting
I am testing ansible (developer build) to connect to a windows machine.
ansible 2.0.0 (devel d1b98ec776)
The following command fails
ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Error is as below
bash-4.1$ ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<inh-jnambood-dt.india.mentorg.com> ESTABLISH WINRM CONNECTION FOR USER: jnambood#MGC.MENTORG.COM on PORT 5985 TO inh-jnambood-dt.india.mentorg.com
inh-jnambood-dt.india.mentorg.com | FAILED! => {
"failed": true,
"msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
jnambood is my user id MGC.MENTORG.COM is the domain
Clearly there is some step I missed. What should I do to fix this error?
That usually means that the Linux host where you're running kinit is not joined to the domain (ie, it doesn't have a properly configured computer account in the domain). The existing docs unhelpfully omit that requirement...
I've also seen this occur where the FQDN of the the host is not entered in both the command and the ansible hosts file.
Try something like:
inh-jnambood-dt.mcg.mentorg.com
HTH
I'm not using Ansible, but pywinrm directly. To get things working from a RHEL7 computer to a Windows 10 host in the domain, I changed # to / in the pywinrm code. I did this because I saw other software use HTTP/hostname and not HTTP#hostname when talking to Kerberos. Hope this is useful for somebody.
https://github.com/requests/requests-kerberos/pull/141/commits
We had this same error. For us, it was resolved by shortening the hostname to have less than 15 characters.