Ansible Windows Winrm Authentication or permission failure.

Hi,

I’m doing a POC with Ansible and Puppet but currently I can’t even get Ansible to talk to Windows using WinRM. Here is my setup in Vagrant:

Control server
Centos 7.1 with all the right extras installed (pywinrm etc)

group_vars/windows.yml

ansible_user: vagrant
ansible_password: vagrant
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Windows 2012 R2

• Powershell winrm is pretty much open in terms of config (basic auth, allow unencypted)

I’ve tested winrm connections from the ansible server using the following python script:

import winrm

import winrm

s = winrm.Session(‘http://192.168.33.12:5985/wsman’, auth=(‘user’, ‘password’))
r = s.run_cmd(‘ipconfig’, [‘/all’])
print r.status_code
print r.std_out
print r.std_err

This works successfully and my host Windows desktop can winrm to the target server as well.

But Ansible just will not work always giving me the following error:

[root@ansible ansible]# ansible windows -m win_ping -vvvvv
Using /ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.33.12> ESTABLISH WINRM CONNECTION FOR USER: vagrant on PORT 5985 TO 192.168.33.12
<192.168.33.12> WINRM CONNECT: transport=plaintext endpoint=http://192.168.33.12:5985/wsman
<192.168.33.12> EXEC /bin/sh -c ‘PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA1ADMANAA1ADYANQA2ADYALgA0ADgALQA1ADcAMwAyADgANgAxADgAMgA4ADkANAAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=’
<192.168.33.12> WINRM OPEN SHELL: C6B534E7-4F4B-4AEB-B34A-97FE55EB0225
<192.168.33.12> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-ExecutionPolicy’, ‘Unrestricted’, ‘-EncodedCommand’, ‘LwBiAGkAbgAvAHMAaAAgAC0AYwAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBBAG8AQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAUwBRAEIAMABBAEcAVQBBAGIAUQBBAGcAQQBDADAAQQBWAEEAQgA1AEEASABBAEEAWgBRAEEAZwBBAEUAUQBBAGEAUQBCAHkAQQBHAFUAQQBZAHcAQgAwAEEARwA4AEEAYwBnAEIANQBBAEMAQQBBAEwAUQBCAFEAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBIAFEAQQBaAFEAQgB0AEEASABBAEEASQBBAEEAdABBAEUANABBAFkAUQBCAHQAQQBHAFUAQQBJAEEAQQBpAEEARwBFAEEAYgBnAEIAegBBAEcAawBBAFkAZwBCAHMAQQBHAFUAQQBMAFEAQgAwAEEARwAwAEEAYwBBAEEAdABBAEQARQBBAE4AQQBBADEAQQBEAE0AQQBOAEEAQQAxAEEARABZAEEATgBRAEEAMgBBAEQAWQBBAEwAZwBBADAAQQBEAGcAQQBMAFEAQQAxAEEARABjAEEATQB3AEEAeQBBAEQAZwBBAE4AZwBBAHgAQQBEAGcAQQBNAGcAQQA0AEEARABrAEEATgBBAEEAaQBBAEMAawBBAEwAZwBCAEcAQQBIAFUAQQBiAEEAQgBzAEEARQA0AEEAWQBRAEIAdABBAEcAVQBBAEkAQQBCADgAQQBDAEEAQQBWAHcAQgB5AEEARwBrAEEAZABBAEIAbABBAEMAMABBAFMAQQBCAHYAQQBIAE0AQQBkAEEAQQBnAEEAQwAwAEEAVQB3AEIAbABBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBkAEEAQgB2AEEASABJAEEASQBBAEEAbgBBAEMAYwBBAE8AdwBBAD0AJwA=’]
<192.168.33.12> WINRM RESULT u’<Response code 1, out “”, err “#< CLIXML\r\n<Objs Ver”>’
<192.168.33.12> WINRM CLOSE SHELL: C6B534E7-4F4B-4AEB-B34A-97FE55EB0225
192.168.33.12 | UNREACHABLE! => {
“changed”: false,
“msg”: “Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA1ADMANAA1ADYANQA2ADYALgA0ADgALQA1ADcAMwAyADgANgAxADgAMgA4ADkANAAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=, exited with result 1”,
“unreachable”: true
}
[root@ansible ansible]#

I tried modifying the temp path but that didn’t work either.

I’m out of ideas as everything else works in terms of winrm connections so if anyone has some suggestions I can try please let me know otherwise it’s going to be Puppet for me which is a shame as I liked the sound of Ansible but it seems very difficult to set up for Windows.

Thanks

Dan

Hi Dan,

I ran into a lot of issues when trying to get Ansible to connect to my remote Windows Server 2012 R2 VM. I finally got it working - maybe my solutions will help you.

A couple questions:

1. Did you set up your Ansible Control Machine following the official documentation to a tee (http://docs.ansible.com/ansible/intro_windows.html)?
2. Have you run the remote setup PS1 script on the target server (https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1)?

Hi Joe,

Thanks for getting back to me I did both the items when I setup the control server and windows client. Upon further investigation I can successfully execute raw commands which shows the config is correct, it’s just the win_pin that fails for some reason so I presume I can’t run modules. I’ll try another module when I get back to work but if you have any other suggestions please let me know.

Thanks

Dan

Hm, that’s interesting. It doesn’t make sense that raw commands work but not the basic win_ping module. Yes, it does sound like it’s something to do with your module or pywinrm setup.

My main issue for connection was with kerberos, but that’s because the user I’m using to authenticate with is a Domain AD account. I’m assuming your user isn’t, since I see vagrant. In which case, the only other thing I noted in my documentation was that I installed:
apt-get install libffi-dev libssl-dev

DISCLAIMER: I haven’t tested if I absolutely needed those. I tried a lot of different things based on postings I found during my Ansible+Windows setup.

Let me know what you find from running other modules.

-Joe

Someone else has posted something simliar as a bug report here - https://github.com/ansible/ansible/issues/14085

Since both you and the bug reporter are experiencing a failure to create a directory in the user’s temp folder, I’m wondering if your users’ temp folder is actually present?

The command that is failing in your case is as follows:

Set-StrictMode -Version Latest
(New-Item -Type Directory -Path $env:temp -Name “ansible-tmp-1453456566.48-573286182894”).FullName | Write-Host -Separator ‘’;

can you run the following and see if you get an error message?

gci -Path $env:temp

(interactively and via the ‘raw’ module too, preferably).

Not sure what is going on but hoping this might throw some light on the problem.

Jon

I ran into this same problem with ansible 2.1.0.0, correctly configured winrm and powershell. The solution was adding the powershell directory to the PATH on the target machine. The ansible error messages have so far never been related to the actual problem, which is kind of impressive.