Domain Authentication

Hi

I am trying to authenticated to server using domain credentials.

I watch the following video with Matt Davis, https://www.ansible.com/webinars-training/ask-an-expert-ansible-and-windows, and he mentions that with Ansible 2.1 you are now able to use ‘ntlm’ to authenticate with domain credentials.

I am testing this in the console first before applying these setting to Tower, but I am having issues.

I have change the host file entries to the following:

[win]

uk-ansible-util

[win:vars]

ansible_connection=winrm

ansible_user=wintech.local\sa_Ansible

ansible_password=password

ansible_winrm_transport=ntlm

And then when I try run the following task: ansible win -i hosts -m raw -a ipconfig

I am getting the following error:

uk-ansible-util | UNREACHABLE! => {

“changed”: false,

“msg”: “ntlm: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)”,

“unreachable”: true

}

I have updated pywinrm to the latest version on the Ansible server.

Any ideas what could be causing this, as I cant find anything on the Internet.

Cheers

Mark

Hi Mark,

I’ve not tried the NTLM support yet but I think you might need to set

ansible_winrm_server_cert_validation: ignore

… in your inventory/ group_vars.

Otherwise python will attempt to validate the certificate presented by your windows vm, which is (very likely) self signed one.

Give that a go and see how you get on.

All the best,

Jon

Jon’s correct- disabling server cert validation (or installing a trusted cert on the WinRM listener) will get you past this point. However, even if you get it working from command-line, it won’t work from Tower without a little more hassle, since Tower redirects to a bundled version of pywinrm (0.1.1) that is too old to support ntlm. It can be replaced, but you’d need to contact support on the proper procedure to update Tower’s bundled pywinrm version.

Future builds of Tower are already including the new version, but IIRC there hasn’t been a Tower release since pywinrm 0.2.0 shipped.