Access to windows host machine on ubuntu local

Hello everyone!

I am new in ansible and have some issue interacting with windows host.

I configured hosts file like this

[windows_host]
34.235.150....

[windows_host:vars]
ansible_user=Administrator
ansible_password=kw=VPi*L)I4uzTp;
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=basic

but timeout error occurs

here, the windows machine is t2.micro on AWS.

If someone who knows, please help me.

Thanks.
Simon

First, you should scrub your post. Don’t share sensitive information like the public IP’s and passwords.

Second, have you configured the windows machine for winrm over https? That’s not enabled by default.

Lastly, have you configured AWS to allow traffic between your ubuntu machine and windows machine? At least on the winrm ports?

1 Like

Thanks very much.
I’ve already configured security rule on aws.

and do you have any approach for configuring the windows machine for winrm over https?

Thanks again.


And I noticed that WinRM is working by default from this.

Windows servers enable winrm over http by default, but have no certificate to encrypt it over https. Only port 5985 will be listening on a fresh install.

That’s a fairly deep subject. Ideally, you would use Group Policy and a CA server to issue trusted certificates from AD and enable winrm over https automatically. If you don’t have AD infrastructure to provide that, then you might be able to get away with a handful of commands:

New-SelfSignedCertificate -DnsName ([system.net.dns]::GetHostByName($env:COMPUTERNAME).hostname
Set-WSManQuickConfig -UseSSL -Force -SkipNetworkProfileCheck 
Enable-PSRemoting -Force -SkipNetworkProfileCheck 

Windows Remote Management — Ansible Community Documentation
Setting up a Windows Host — Ansible Community Documentation

1 Like

I really appreciate about your care.
I tried the command you mentioned but seems not working… :sleepy:

And Is there any approach to connect with http if possible?

Maybe:

$fqdn =  [system.net.dns]::GetHostByName($env:COMPUTERNAME).hostname
New-SelfSignedCertificate -DnsName $fqdn -Subject "CN=$fqdn"

As for http, you can use it if you feel secure enough about it. WinRM uses its own encryption that Microsoft feels comfortable enough to enable WinRM over http for servers out of the box, but it doesn’t protect the initial handshake. So for a very brief moment, your sessions will be insecure. Enabling winrm over https will protect that intial handshake.

The main thing you would need to do is include the 5985 port in your AWS security rule, and then dumb down the ansible config to use http instead of https.

ansible_user=Administrator
ansible_password=kw=VPi*L)I4uzTp;
ansible_port=5985
ansible_connection=winrm
#ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=ntlm # please don't use basic if you can help it
1 Like

Hi @Denny-tech, I am really thankful about your kind mentoring.

Unfortunately, both of https and http seems not working on my end.


my current OS is ubuntu and target is latest windows version on AWS AMI.

To solve this issue, Is there any method if the port 5986 or 5985 is opened on the target?

Our company is trying to use Ansible and it is R&D for me. :slight_smile:
Ansible worked well with ubuntu, but in terms of windows, it is really hard for me.

If you don’t mind, can we have a discussion on Telegram or Skype?
If you don’t want, it 's okay enough for me.

Really Thank you. @Denney-tech. You are really good man.

Simon

My guess at this point is that you have a routing issue between your ubuntu host and windows host. Unfortunately, I don’t know enough about AWS to point you in the right direction.

You can test from your ubuntu vm though:

nmap -p 5985-5986 -Pn 34.235.160.152

Edit: This is a public IP address, and I would think you would want to connect to an internal IP address. Probably through a VPN, possibly through a bastion (which would mean either configuring powershell over ssh instead of WinRM or configuring a socks5 proxy).

1 Like

Do you have allowed the ports in awx (security groups) find the instance that member of one of those groups and allow winrm https port.

You should also limit the ips of the machines that you allow to talk to winrm like eg only your ubuntu machine to winrm.