I’m using an operator install of Ansible Automation Platform 2.5 on OpenShift.
We have multi-homed WIndows servers I want to connect to with WinRM and the interfaces are handled with different FQDNs. I am authenticating for WinRM via Kerberos, but the FQDN I need to connect to isn’t a HOST SPN. A ping template successfully connects to the server if I use an SPN that exists as a HOST entry.
For example:
Connection works fine if I use myhost.interface1.domain.local as my FQDN in my inventory.
How can I tell ansible with Kerberos to connect using myhost.interface2.domain.local?
If you are using the winrm connection plugin you can set the variable ansible_winrm_kerberos_hostname_override to override the hostname portion of the SPN used with Kerberos auth. The psrp connection plugin uses the variable ansible_psrp_negotiate_hostname_override. Otherwise you can also do as suggested and manually add the SPNs for the hostname you are connecting with.
I’m using groups of hosts in my inventory and specifying the Kerberos variables there. We don’t have appropriate SPNs already existing in our domain that would make this feasible.
If I have to add SPNs anyway, I’m thinking I might as well just create the correct ones and specify the correct FQDNs in my inventory. Great idea though. I wasn’t aware of these options.
I’m curious how this might work though. Assuming I have SPN
HTTP/myhost.interface1.domain.local
(I’m seeing in docs that Ansible defaults to HTTP Kerberos service class for WinRM)
…per host in inventory as so (with proper indentation, of course)?
I need to update the docs but the winrm connection plugin defaults to HTTP while the psrp connection plugin right now defaults to WSMAN. I actually have a new release of the underlying psrp library to change the default from HTTP to host but that isn’t live yet.
The reason why WSMAN isn’t used is because not even the WinRM client on Windows uses WSMAN for Kerberos auth. Doing Invoke-Command -ComputerName foo { ... } actually uses the host SPN and this is why I’m changing the psrp libraries defaults as well. The WSMAN service is only used with CredSSP authentication for some unknown reason and it’s not always registered to hosts so it’s not 100% reliable.
The key thing here is that the server you are talking to must have the SPN registered on it. This is the server identification security feature that is part of Kerberos. If the computer principal in AD doesn’t have the SPN registered or the SPN is registered to another principal then the WinRM service will fail to prove its identity breaking the authentication side.