Looks like you are on the right track where you can get a valid Kerberos ticket using kinit but your Ansible config needs a few more settings so it runs through Kerberos. Looking at the error message it is still trying to authenticate using Basic auth “plaintext” and not Kerberos. Also ansible_ssh_user has been deprecated in favour of ansible_user which is probably why it doesn’t detect to use Kerberos.
Try setting the following vars in your inventory
ansible_user=ans...@UAT.INTRA.COM
ansible_password=password here
ansible_port=5985
ansible_connection=winrm
ansible_winrm_transport=kerberos
3 things to say though when looking at your seting;
- If you upgrade to Ansible 2.3 you don’t have to manually get a ticket beforehand using kinit, Ansible will do this for you which is a massive plus around automating this all
- You can also use NTLM and CredSSP auth with domain accounts but Kerberos is definitely the most secure out of the 3
- You should be using HTTPS instead of HTTP as your messages and headers are in plaintext with HTTP which is a big no no in security.
The ConfigureRemotingForAnsible.ps1 script will set up a HTTPS listener with a self signed cert for testing, You should use a proper cert if running this in production, my workplaces environment uses ADCS to set up a host certificate on each Windows box making it quite easy for us.
Thanks
Jordan
Also, I think the EPEL packages for python kerberos and/or pywinrm may be horribly outdated (you’d think that working for Red Hat, I’d know who to bug about that, but alas…). That’s the likely cause of the error messages you’re seeing. Install via pip (as specified by the docs) to ensure you’ve got the latest.
Thank you so much Jordan and Matt. Issue has been resolved now. I really appreciate your help on this, i was struggling to fix this for long time…!! Happy week end…!
I just followed both of your steps to fix the issue:-
Changed the hosts file as below:-
ansible_user=ansible@UAT.INTRA.COM
ansible_password=password
ansible_port=5986
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_winrm_server_cert_validation = ignore
after that updated the pywinrm[kerberos] :-
[root@liuatasans01 windows]# pip install pywinrm[kerberos]
Requirement already satisfied: pywinrm[kerberos] in /usr/lib/python2.7/site-packages
Requirement already satisfied: xmltodict in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])
Requirement already satisfied: requests>=2.9.1 in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])
Requirement already satisfied: requests_ntlm>=0.3.0 in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])
Requirement already satisfied: six in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])
Collecting requests-kerberos>=0.10.0 (from pywinrm[kerberos])
Downloading requests_kerberos-0.11.0-py2.py3-none-any.whl
Requirement already satisfied: python-ntlm3 in /usr/lib/python2.7/site-packages (from requests_ntlm>=0.3.0->pywinrm[kerberos])
Requirement already satisfied: pykerberos<2.0.0,>=1.1.8; sys_platform != “win32” in /usr/lib64/python2.7/site-packages (from requests-kerberos>=0.10.0->pywinrm[kerberos])
Installing collected packages: requests-kerberos
Found existing installation: requests-kerberos 0.7.0
Uninstalling requests-kerberos-0.7.0:
Successfully uninstalled requests-kerberos-0.7.0
Successfully installed requests-kerberos-0.11.0
Thanks
Siva Subramaniyan
This helped me as well, thanks 
Nice to Hear…!! Have a good one…!