Dears,
Anyone has recommended document of link for configure ansible in win 2016 with selfsign cert.
Tharindu
I'm not sure what you mean by "client host" in the subject of the message.
If you mean you want to use Windows as the control machine, then it's
easy, that is not supported:
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#control-machine-requirements
If you plan to manage Windows systems, then this is possible:
https://docs.ansible.com/ansible/latest/user_guide/windows.html
Dick
Hi Dick,
really i need to config windows 2016 machine as ansible client. i want to config my ansible installed cent os machine to communicate win 2016 server. i have seen there are have several ways to config. Im prefer to do it via credssp. Do you have any documentation guide.
Tharindu
As I said there is no such thing as an "ansible client", this is
called the "control machine".
But, from the parts that I do understand of your message, you want to
manage Windows systems - in which case the same links are still valid.
Dick
Hi Dick,
Yes you correct. But i failed to config winrm configuration windows 2016 server. Given links are little bit confusing me. Do you can provide step by step document if you have
Tharindu
I Just finished going through this and the documentation is pretty good. Definitely read through the links Dick sent.
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html
I recommend reading the script it’s from the Ansible site. This will get you a base set up for a lab to get you started. Long Term you will need to do a little more. One thing about CREDSSP is that if you are using it. Even with a certificate only the traffic is covered by the ssl the UserName and Password are sent as clear text. In the Security event log of your Windows Client you will see event ID 4624 with LogonTypeName set to 8 - NetworkClearText.
$url = “https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1”
$file = “$env:temp\ConfigureRemotingForAnsible.ps1”
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
Unblock-File $env:Temp\ConfigureRemotingForAnsible.ps1
cd $env:temp
.\ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP -DisableBasicAuth -SubjectName “ansible” -CertValidityDays $(365 *2) | out-null
Mike
Even with a certificate only the traffic is covered by the ssl the UserName and Password are sent as clear text
Just thought I should clarify this a bit more, what “clear text” means in this scenario is that the username and password are sent as they are and not as a hash you typically see with NTLM or Kerberos authentication. The actual data is doubly encrypted/wrapped during the authentication process with
-
The wrap method of the underlying auth used, either NTLM (RC4) or Kerberos (AES256), then
-
TLS encrypted based on the session setup in CredSSP auth
So yes it is inherently more insecure compared to Kerberos, and to an extent NTLM, as the credentials are sent as is but the value is still protected through 2 layers of encryption meaning someone sniffing the network packets won’t be able to see it.
Thanks
Jordan