Ansible connecting to Windows host using pywinrm module over HTTP

Archives Ansible Project
1

Hello,

I have an issue with connecting to windows host using Kerberos authentication mechanism with winrm over HTTP scheme,

As our windows host have this set to true, Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true

I get this error message “msg”: “kerberos: the specified credentials were rejected by the server”,

But when I set that to false on the windows host winrm config Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false it works fine,

We Don’t want it to be unencrypted,

As the session is not being received on the windows host as encrypted,

and it is rejecting the credentials passed,

this is the config I have on my playbook,

  • hosts: all
    gather_facts: false
    vars:
    ansible_user: username
    ansible_winrm_port: 5985
    ansible_winrm_kinit_mode: managed
    ansible_connection: winrm
    ansible_winrm_realm:
    ansible_winrm_transport: kerberos
    ansible_winrm_kinit_cmd: /usr/share/centrifydc/kerberos/bin/kinit
    ansible_winrm_scheme: http
    ansible_winrm_message_encryption: always
    tasks:

  • win_ping:

Output:

Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<postest19.fastenal.com> ESTABLISH WINRM CONNECTION FOR USER: xyz@DOMAIN.COM on PORT 5985 TO postest19.fastenal.com
fatal: [abc.domain.com]: UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: the specified credentials were rejected by the server”,
“unreachable”: true
}

Any help would be appreciated!!

2

Setting AllowUnencrypted -Value $true means you are allowing plaintext data to be exchanged, you want it to be AllowUnencrypted -Value $false to make sure encryption is used. Are you getting mixed up with the values here?

3

Thanks for that reply Jordan,

No, I am not confused in respect to that,
however, I want to understand what’s is the best way possible to encrypt the whole session over the HTTP scheme,
as on the windows side if it’s not encrypted it is rejecting the connection by saying the above message error,
however I got past that issue by using elevated credentials for the windows host, now it complaints about this error, “msg”: “kerberos: Bad HTTP response returned from server. Code 500”

not sure how it is doing a bad request, could you please enlighten on this,

4

Hello Sameer,

the winrm over https port is 5986, with a self signed certificate. If
you change port on ansible setting, you'll have the connection
encrypted, if server is enabled to accept ssl connections.

Luca