Hi i got a realy akward Problem with Ansible(devel)
Got Multiple Servers and all works fine with WinRM and Kerberos on Ansible Side until i Install/Configure follow Windows Roles on hosts
- Active Directory Federation Service
- WebapplicationProxy
All Servers are based on the Same VM Template
Connection over WinRM first with SSL/Basic Auth for Provisioning then i Switch on the Fly to SSL/Kerberos
Basic ansible_user: username
Kerberos ansible_user: username@domain.tld
Got always requests.exceptions.ConnectionError: (‘Connection aborted.’, error(104, ‘Connection reset by peer’))
What i found out if i use the FQDN it works both with Basic and Kerberos over SSL on the Server with ADFS/WAP Installed
With an IP Address it only works on Server without ADFS or WAP Installed.
More Details and Debugging Writeout under
https://gist.github.com/daBONDi/4f9a4f6f5feb49fdcb3f7451b92612e9
Maybe a some of you find out the same with an ADFS / WAP Server and could help me diagnose it
Thanks in advance for you Time
David Baumann(daBONDI@Github)
www.davidbaumann.at
My guess would be that something about these windows server roles causes some kind of reset or restart of some part of the http stack (which WinRM depends on).
I know kerberos needs DNS to work properly - the hostname is important for kerberos for reasons I forget, but it needs to be able to go from ip → hostname and hostname → ip in order to work fully.
Is it difficult for you to make use of the hostname in your environment?
There are modules now for configuring dns resolution (https://docs.ansible.com/ansible/win_dns_client_module.html) and also a module for updating DNS https://docs.ansible.com/ansible/nsupdate_module.html
So you might be able to configure things so you can use hostnames from the start.
Hope this helps,
Jon
ADFS/WAP manipulates http.sys, which is the shared process taking care of winRM, IIS and other http-related calls into the host. I’ve never tested it but it kinda makes sense that there are issues there.
Yeah i know that is based on http.sys
I checked also the http/https binding over netsh and compare them between a working and non working system. Realy no clue why this happening.
I put now 3 Days of work into that debugging, now i switch to ensure the dns records are prefilled priorer theh provisioning of the vms, so the issue don’t come up…
So looks like no one is using ADFS with Ansible :-).
But this is not worth anymore time to debug i think…
Just a heads-up, we have a Windows Working Group where things like this can be discussed with the devs. Either on the #ansible-windows IRC channel, or during one of the weekly meetings.
You can find more information at:
https://github.com/ansible/community/tree/master/group-windows
We definitely can use more Windows experts like you in the WWG, as the interest from the community seems to be growing steadily, as are the open issues and PR numbers 