ansible communication to windows

Hello,

I discovered ansible recently.

I would like to use the ansible for the deployment of software on a fleet under Windows 7 and 10.

I plan to use CredSSP authentication in order to use a local account on the target machines.

On the server hosting ansible, I installed via pip3 the request-credssp packages as well as pywinrm.
On the client computer I run the script https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1

I have made several attempts to configure with more or less success.

I came across an article which signals that credssp poses security risks because the password is sent in the clear over the network.

I am seeking the help of the community in order to successfully configure a secure way to communicate between Windows and ansible clients.

Thanks in advance for the help

CredSSP send the user accounts password across the wire but it is definitely not in the clear. It is “wrapped” which means it’s encrypted and the Windows host can decrypt the value. This is unlike other authentication formats where typically only a hash or shared secret known only to the client and server are exchanged. So in that sense, CredSSP is not as secure as say Kerberos but the advantage is now the remote process can use those credentials for further authentication and bypassing the double hop problem.

Ultimately it’s a trade off with what you need, if you are in a domain environment you should be using Kerberos. If it’s local accounts then you should be using HTTPS at least then either NTLM or CredSSP depending on your needs.

Thanks

Jordan