The majority of Windows hosts are working correctly. However, I have a couple that are giving me an error “FAILED => the username/password specified for this server was incorrect”. The account I’m using to connect is part of the local administrators group. I have run the pre-script on these hosts and the WinRM settings appear to be correct. I checked DNS, there is only one A and PTR record and both are correct.
If I try connecting with PowerShell I see this error:
`
new-pssession : [] Connecting to remote server failed with the following error
message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS
transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
- new-pssession -computername -sessionoption (new-pssession …
-
- CategoryInfo : OpenError: (System.Manageme…RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransport
Exception - FullyQualifiedErrorId : -2144108387,PSSessionOpenFailed
`
Investigating SPN, I see extra entries for http, probably from IIS needing kerberos? Doing some searching online I see people added extra SPN entries for port 5985 and 5986. Then, when connecting using PowerShell used the -IncludePortInSPN PSSessionOption. This allowed me to connect using PowerShell. However, I’m still not able to connect from Ansible. What would be the equivalent fix for Ansible?