Does the host actually reboot, the error’s indicate win_reboot didn’t start the task so if it did reboot then the win_domain step did it which isn’t good
Can you eventually connect to the host with WinRM (after a few minutes)
What’s the status of the winrm service (‘Get-Service -Name winrm’)
What’s the output of ‘winrm enumerate winrm/config/listener’
For the authentication side, domain controllers are a bit unique when it comes to auth. After promotion, any local accounts become domain accounts so the account should still work properly. CredSSP should be no exception but I’ve never tried it in this situation. Looking at your tasks I don’t see a real need for using CredSSP so it may be more prudent to use another auth over SSL instead.
I assumed since I was working with a Domain Controller I had to use CredSSP or Kerberos, and I have no idea how kerberos works. Is CredSSP not my best choice?
The Host does not reboot
After that failure, RDP doesn’t immediatly respond.
After a few minutes RDP respond but it fails with ‘An Attempt was made to logon, but the network logon service was not started’
Forced a reboot via AWS console
Attempting to RDP again, Creds are accepted, but we hang on ‘Please wait for the Group Policy Client’ for longer than usual.
After that login, Ansible is able to connect again and my playbook runs.
Thanks for the info, yea does sounds like one of the problems mentioned on the ticket, I remember some people saying Netlogon is stopped which will definitely cause some issues. The strangest thing is I have used this module multiple times and have never come across this issue. There’s not much I can do to help right now but I am looking at trying to make this more stable as part of the 2.7 release, I just haven’t gotten to start working on it yet.
For your CredSSP question, it’s probably a bit more of a moot point with Ansible but the reason why MS have a warning around using it is because;
It uses unconstrained delegation, e.g. it will authenticate any downstream services even if you don’t want it to. This may be a security risk in case that downstream service is compromised as now they have your kerb token/ntlm hash
It sends the actual password (encrypted) and not just a hash which is not optimal
Usually our recommendation is;
Use Kerberos if possible, as this only works on domain accounts then it can’t be used in all cases (like promoting a server to an ad controller)
If you can’t use the above, use https (with any other auth) to ensure any headers/http info is encrypted
NTLM is a fallback to Kerberos but really shouldn’t be used without https
CredSSP is a newer protocol (uses NTLM or Kerberos in the spec as well) but because of the points I mentioned above, it may not be ideal for all situations