I am building a playbook in Ansible that will add some DNS entries to multiple Windows 2012 R2 domain controllers (DC). When attempting to authenticate over HTTP the DC rejects my credentials.
I have followed the documentation on the Ansible website to configure kerberos on my control machine.
http://docs.ansible.com/ansible/intro_windows.html#active-directory-support
I have also confirmed that I can log into the domain using my credentials:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my-user#<REDACTED>
Valid starting Expires Service principal
10/06/2016 09:47:03 10/06/2016 19:47:03 krbtgt/<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:47:48 10/06/2016 19:47:03 HTTP/phx-dev-mwad01.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:54:15 10/06/2016 19:47:03 HTTP/phx-dev-mwad02.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 12:08:28 10/06/2016 19:47:03 HTTP/phx-dev-want01.<REDACTED>#<REDACTED>
renew until 10/07/2016 09:46:59
I redacted the domain for security purposes.
Here is my config file for winrm:
ansible_user: my-user#<REDACTED>
ansible_password: SomePass
ansible_port: 5985
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
I am able to connect to the windows servers over port 5986 (HTTPS), however in production the domain controllers are not configured for 5986 so Ansible must be able to establish the connection over port 5985 (HTTP). This requirement will not change in production.
When attempting the connection over 5985 my credentials are rejected;
fatal: [phx-dev-mwad02]: UNREACHABLE! => {"changed": false, "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", "unreachable": true}
WinRM is set to allow remote management:
$winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
Here is a gist to our WinRM configuration:
https://gist.github.com/anonymous/f2baaff517287c535453dbba4ef03b69
And yes, I have confirmed that my credentials are correct.
Look at AllowUnencrypted = false in your winrm server's config. It seems for now python winrm doesn't support message encryption without https. As workaround you can set it to true, which is insecure, so I strongly do not recommend this (cmd):
winrm set winrm/config/service #{AllowUnencrypted="true"}
See HTTP or HTTPS endpoint section of https://pypi.python.org/pypi/pywinrm
Related
Seeing error credssp: Bad HTTP response returned from server. Code 502
Ansible is installed on Linux machine & I am trying to establish connection to Windows client machine
Have set below variables as per : https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html
ansible_user: <uname>
ansible_password: <pass>
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp
Running playbook is resulting in below error. Could you give any pointers to check this further to get resolution on it?.
fatal: [<hostname>]: UNREACHABLE! => {"changed": false, "msg": "credssp: Bad HTTP response returned from server. Code 502", "unreachable": true}
Adding details on client setup, which looks ok, following along : https://docs.ansible.com/ansible/latest/os_guide/windows_setup.html#winrm-listener
PS C:\Windows\system32> (Get-Service "WinRM").Status
Running
Below indicates : HTTP: Enabled
PS C:\Temp\Ansible> .\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Disabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
Exec policy set to Unrestricted as well.
PS C:\Temp\Ansible> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Unrestricted
Powershell version looks ok : 5.x :
PSVersion 5.1.19041.1682
And quick check on http link per below is working on windows client as well. Issue I am seeing only from Linux machine from which I am trying to connect/run playbook.
winrs -r:http://<hostname>:5985/wsman -u:<user> -p:<pass> ipconfig
I assume upon the chosen authentication method
ansible_winrm_transport: credssp
and the missing info about the CredSSP on the Windows side in the question and the 502 error, that this might be caused, because CredSSP ist not enabled.
As stated in the Ansible WinRM Module Documentation, if the selected authentication method is CredSSP, it needs to be enabled:
CredSSP authentication is not enabled by default on a Windows host,
but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
According to the WSMAN Documentation the state of the CredSSP can be checked with:
Get-WSManCredSSP
Possible results:
If the computer is configured for CredSSP, this is the output:
The machine is configured to allow delegating fresh credentials to the
following target(s): wsman/server02.accounting.fabrikam.com
If the computer is not configured for CredSSP, this is the output:
The machine is not configured to allow delegating fresh credentials.
first make sure that the user you are trying to connect with has admin rights on the remote computer.
If the user does, maybe it's a problem with the proxy.
I once had a similar problem and simply running this command on the remote server fixed it:
netsh winhttp reset proxy
you can read more about netsh here:
WINHTTP - netsh
Hope that helps, good luck !
We have a few servers where the WinRM authentication is failing using the local admin account and the certificate because of the rejected credentials:
msg: certificate: the specified credentials were rejected by the server
Note that we have used the exact same setup on other servers and it works there. What's the issue/difference here compared to the other servers?
We have also tried all the known "workarounds" like adding the REG_DWORD "ClientAuthTrustMode" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" but it didn't help.
The WinRM HTTPS listener is properly configured and certificate authentication is allowed.
The error from the event log:
Provider Health: The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again.
Details:
ProviderName=WSMan
ExceptionClass=ProviderInvocationException
ErrorCategory=InvalidOperation
ErrorId=WsManError
ErrorMessage=The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again.
Any ideas?
I am trying to connect to multiple Windows nodes but I am getting different errors. The behaviour is the same for all of them. I have done it many times successfully in other enviroments, but in this case there must be some problem that I cannot find out. In case it is relevant, my infrastructure consists of a Kubernetes cluster made up of several pods. One of those pods has a container in which I have Ansible installed and it is from which I want to establish the remote connection with machines out of the cluster. Below I show all my attempts to make it work in one of the nodes.
First of all, I have run the script ConfigureAnsibleForRemoting.ps1 to initiate WinRM so that Ansible can connect. The WinRM configuration shows that Basic, Kerberos, Negotiate, and Certificate auth are enabled. Both HTTP and HTTPS listeners are configured too:
WinRM configuration and listeners
To check that everything is set up correctly, I have carried out some tests:
Run Test-WSMan
Log in powershell session from remote machine
Node is reachable from the container
Tests
I have used Basic, NTLM and Certificate auth. Here is my inventory (I do not utilize a domain user but a local user) and the result when I make a win_ping with Ansible in each case:
- Basic: port 5986
[prueba_cinco]
host ansible_host=IP
[prueba_cinco:vars]
ansible_user=user
ansible_password=pass
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
Basic: port 5986 output
- Basic: port 5985
[prueba_cinco]
host ansible_host=IP
[prueba_cinco:vars]
ansible_user=user
ansible_password=pass
ansible_connection=winrm
ansible_port=5985
Basic: port 5985 output
This is the expected behaviour, since AllowUnencrypted in the winrm configuration is set to false.
Just to gain more insight into the problem, I allowed unencrypted traffic, and after that the connection could be established normally:
WinRM config: AllowUnencrypted and Basic: port 5985 output 2
- NTLM: port 5986
[prueba_siete]
host ansible_host=IP
[prueba_siete:vars]
ansible_user=user
ansible_password=pass
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=ntlm
NTML: port 5986 output
- NTLM: port 5985
[prueba_siete]
host ansible_host=IP
[prueba_siete:vars]
ansible_user=user
ansible_password=pass
ansible_connection=winrm
ansible_winrm_transport=ntlm
ansible_port=5985
NTLM: port 5985 output
This works, although a huge error is obtained. I later tried this option with a domain user and the credentials were rejected.
- Certificate: port 5986 (only works with HTTPS)
For this method, I have followed the procedure of the official documentation. I have generated a certificate with New-SerfSignedcertificate in Powershell. Then I have converted the PFX file created to a private key with OpenSSL (that also contains the public key). By last, I have imported a certificate to the Certificate Store and mapped the certificate to an account.
[WINDOWS]
host ansible_host=IP
[WINDOWS:vars]
ansible_connection='winrm'
ansible_winrm_cert_pem='cert_win.pem'
ansible_winrm_cert_key_pem='cert_win.pem'
ansible_winrm_transport='certificate'
ansible_winrm_scheme='https'
ansible_winrm_server_cert_validation='ignore'
Certificate: port 5986 output
As you may have noticed, when I try to connect through the port 5986, I always obtain a time out (Read timed out) regardless of the method or credentials. I have increased the execution time out, but the result is the same. On the other hand, the port 5985 seems to work but an error related to headers appears and I do not know the reason. Anyway, I only would use this one as a last option, since I need to use the port 5986.
To make sure that the container configuration is not what is causing these issues, I have deployed the same image in another environment and everything works perfectly when I try to connect to Windows nodes, I can connect without any error.
Does anyone know what is happening?
Thank you in advance.
I am trying to connect to Windows Server 2012 from my ansible server (Centos7).
Let's assume its host is x and port is y
I managed to connect to other linux based servers but I cannot connect to the windows one.
I followed the tutorial here and after all setups and configurations I get the following error:
root#localhost: ansible# ansible windows -i hosts -m win_ping --ask-vault-pass
Vault password:
WindowsServer | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='x', port=y): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))",
This is my group_vars/windows.yml file:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_user: Administrator
ansible_password: password
ansible_port: y
ansible_connection: winrm
This is my hosts file snippet:
[windows]
WindowsServer ansible_host=x
I did configure windows server with this file.
Please help, I have no idea what to do to make the connection work.
As J and Mike from ansible google group suggested:
The reason of the error were environment variables HTTP_PROXY and HTTPS_PROXY that ansible used from the system.
To let ansible know that you are using proxy you have to:
1. Locate transport.py that comes with pywinrm
2. modify the following line session.trust_env to make it false.
125 # configure proxies from HTTP/HTTPS_PROXY envvars
126 # session.trust_env = True
127 session.trust_env = False
3. pywinrm will no longer check your local env for a proxy.
After that I also neeeded to add one more variable to group_vars/windows.yml file:
ansible_winrm_server_cert_validation: ignore
I have configured WinRM at Windows Server 2012 machine using the script suggested by Ansible team: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
At Ansible control machine (Linux box), the configuration looks like this:
ansible_user: Administrator
ansible_password: PASS
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
Trying to ping Windows machine I still get:
10.2.75.142 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
User credentials are working credentials of local Windows user, belonging to Administrator group. Am I still missing some config on either side?
I've had similar problem. Through Ansible I was getting:
the specified credentials were rejected by the server
but when executing command from windows machine using winrs it was fine. For example:
winrs -r:https://myserver.com -u:Administrator -p:PASS ipconfig
was going through.
Unfortunately didn't find any solution to have Ansible running with basic authentication. Workaround was to use NTLM authentication. Just added
ansible_winrm_transport: ntlm
to control machine configuration and it works fine ever since.