when i run
knife bootstrap windows winrm <my ec2 fqdn> -x Administrator -P "<password>" -r "role[myrole]"
my instance is inside vpc and i have attached eip In place od i gave both my private ip and public ip
ERROR: Batch render command returned
ERROR: Failed to authenticate to ["10.220.15.254"] as Administrator
Response: Bad HTTP response returned from server (401).
what should be my for windows instance.
You should configure Windows Remote Management in the server as described at http://docs.opscode.com/plugin_knife_windows.html
Your error is due to Basic Authentication not being enabled, you have to run the following command in the Windows machine before attempting the bootstrap:
winrm set winrm/config/service/auth #{Basic="true"}
If running it from PowerShell put the parameter in single quotes '#{Basic="true"}'
Related
Seeing error credssp: Bad HTTP response returned from server. Code 502
Ansible is installed on Linux machine & I am trying to establish connection to Windows client machine
Have set below variables as per : https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html
ansible_user: <uname>
ansible_password: <pass>
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp
Running playbook is resulting in below error. Could you give any pointers to check this further to get resolution on it?.
fatal: [<hostname>]: UNREACHABLE! => {"changed": false, "msg": "credssp: Bad HTTP response returned from server. Code 502", "unreachable": true}
Adding details on client setup, which looks ok, following along : https://docs.ansible.com/ansible/latest/os_guide/windows_setup.html#winrm-listener
PS C:\Windows\system32> (Get-Service "WinRM").Status
Running
Below indicates : HTTP: Enabled
PS C:\Temp\Ansible> .\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Disabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
Exec policy set to Unrestricted as well.
PS C:\Temp\Ansible> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Unrestricted
Powershell version looks ok : 5.x :
PSVersion 5.1.19041.1682
And quick check on http link per below is working on windows client as well. Issue I am seeing only from Linux machine from which I am trying to connect/run playbook.
winrs -r:http://<hostname>:5985/wsman -u:<user> -p:<pass> ipconfig
I assume upon the chosen authentication method
ansible_winrm_transport: credssp
and the missing info about the CredSSP on the Windows side in the question and the 502 error, that this might be caused, because CredSSP ist not enabled.
As stated in the Ansible WinRM Module Documentation, if the selected authentication method is CredSSP, it needs to be enabled:
CredSSP authentication is not enabled by default on a Windows host,
but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
According to the WSMAN Documentation the state of the CredSSP can be checked with:
Get-WSManCredSSP
Possible results:
If the computer is configured for CredSSP, this is the output:
The machine is configured to allow delegating fresh credentials to the
following target(s): wsman/server02.accounting.fabrikam.com
If the computer is not configured for CredSSP, this is the output:
The machine is not configured to allow delegating fresh credentials.
first make sure that the user you are trying to connect with has admin rights on the remote computer.
If the user does, maybe it's a problem with the proxy.
I once had a similar problem and simply running this command on the remote server fixed it:
netsh winhttp reset proxy
you can read more about netsh here:
WINHTTP - netsh
Hope that helps, good luck !
BACKGROUND:
We have many data services(DS) installed in different AWS EC2s. We are automating test cases for each of these using Robot Framework.
We will be executing the test scripts from a specific EC2 instance where we have a tool setup.
I have my robot script inside this specific EC2 and I need to 1st establish connection to my EC2 instances where one of the service is hosted.
ISSUE
I tried telnet and SSH but unlike telnet <IP add> <port> , here username is mandatory. I passed ec2-user and root, but it throws me authentication error. Can anyone guide me how to successfully establish connection between 2 EC2 instances so that I can run my test scripts successfully ?
Documentation Robot Framework test script
Library Telnet
*** Variables ***
${host} 10.231.XX.XX
${port} 11211
${username} ec2-user
${password} ${EMPTY}
*** Test Cases ***
Test Telnet
Open Connection ${host}
Login ${username} ${password} delay=1
Execute Command hostname
Close All Connections
I Have docker hosted in a win2K16 server (in the test scenario the host itself is a Domain Controller but in the real case scenario the host will be a machine in the domain).
In the container I have a IIS site that is required to do authentication through AD.
I have created a gMSA following the instructions in this url and tried to configure the host and the container using this steps
I start the container using the command: docker run -d --security-opt "credentialspec=file://gmsa.json" -h gmsa <image-name> (I've tried with and without the -h parameter) and loggin in with docker exec -ti <container-id> cmd.
In the host the command nltest /parentdomain returns as expected but nltest /query always return:
Flags: 0
Connection Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
Can anyone point me out what I'm doing wrong?
Turns out that you cannot use host the container in the Domain Controller because you can't add the DC computer to the gMSA group.
I am using CHEF 12 and trying to bootstrap an EC2 instance (Win server 2012 R2) from my workstation. However, I am getting the below error.
> Waiting for remote response before
> bootstrap.....................ERROR: No response received from remote
> node after 2.08 minutes, giving up. ERROR: Network Error: No
> connection could be made because the target machine actively refused
> it. - connect(2) (http://52.76.1.57:5985) Check your knife
> configuration and network settings
I have two CHEF servers (Hosted as well as on-premises); I have tried bootstraping the EC2 instance using each of these, but get the same result.
Chef bootstrap command issued via power-shell:
PS ~\chef-repo> knife bootstrap windows winrm 52.76.1.57 --winrm-user Administrator --winrm-password '******' --node-name node_145 --run-list 'recipe[ie::esc],recipe[install_iis]'
As far as I researched, it is because I am not able to establish a WINRM connection from my workstation to the Ec2 instance. I am however able to connect to another Win 2012 server within my office network and bootstrap successfully.
have already logged in remotely to the EC2 instance and run winrm quickconfig from powershell.
have set the Administrator password to a desired one.
Have opened inbound firewall rule for WIndows remote management on ports 5985 and 5986
Set up setcurity group and allowed inbound Custom TCP rule for ports 5985 and 5986 on AWS
you took all the necessary steps for this, would it be possible that you are getting filtered by a firewall (e.g company firewall)?
fyi, I managed to bootstrap a machine with the following steps:
# configure winrm for using knife winrm
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
set-item WSMan:\localhost\Client\allowunencrypted $true
#turn off firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
EDIT: to sum up below comments, the problem was the company firewall that was blocking the traffic
Windows 2012 R2 introcuced changes within WinRM security, which rendered some of old articles / readme examples explaining usage of knife-ec and knife-windows unusable.
This article http://blog.coderinserepeat.com/2015/07/15/chef-knife-ec2-and-knife-windows/ pretty much sums up how to deal with this in recent versions of knife plugins.
I am trying to bootstrap a windows winrm using knife command.
I have enabled the tcp port 5985.
But i still get the following error:
ERROR: Network Error: Connection refused - connect(2) (http://:5985)
I am able to remotely login to the machine as well by providing username and password
I could not resolve. Has anyone come across this problem and found a solution?
Check that you can telnet remote_host 5985. This should open a dumb session into which you can enter "quit". If not, look again at how you have enabled winrm and the firewall on the remote host.
I got winrm bootstrap working on Windows VMs which did not have firewall enabled like this:
All the following on the remote Windows machine you want to bootstrap...
Enable winrm:
winrm quickconfig -q
Enable and start the firewall service (so we can successfully config winrm):
sc config mpssvc start= demand
sc start mpssvc
Configure winrm per chef recommendations:
winrm set winrm/config/winrs #{MaxMemoryPerShellMB="300"}
winrm set winrm/config #{MaxTimeoutms="1800000"}
winrm set winrm/config/service #{AllowUnencrypted="true"}
winrm set winrm/config/service/auth #{Basic="true"}
Stop the firewall service again:
sc stop mpssvc
... or configure it to allow to winrm connections from the workstation.
Now, on your workstation, validate the set up:
Validate that remote host is listening on default winrm port
telnet remote_host 5985
(If connection is successful, a blank telnet session will open. You can enter "quit" to exit it.)
Optionally validate that knife winrm can connect to the remote host (e.g. to list the c:\ directory)
knife winrm -m remote_host -x remote_user -P remote_password 'dir c:\'
Bootstrap the node
knife bootstrap windows winrm remote_host -x remote_user -P remote_password
Since you ask for an answer drawing from credible and/or official sources here are the references I found useful when figuring out how to get winrm bootstrap to work:
http://docs.opscode.com/install_windows.html
http://docs.opscode.com/plugin_knife_windows.html
http://developer.rackspace.com/blog/step-by-step-walkthrough-to-using-chef-to-bootstrap-windows-nodes-on-the-rackspace-cloud.html
I have faced the similar issue.One of the reasons for this might be you knife-windows gem is not installed in expected location.
knife-windows resolves target hostname.if its not properly installed winrm knife cant resolve targetname.So to overcome this install knife-windows as below
To install the knife windows plugin using RubyGems, run the following command:
$ /opt/chef/embedded/bin/gem install knife-windows
if properly installed you should be able to find knife-windows at /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/