Issues with Kerberos Credential Delegation

Get Help
,
1

Folks

I’ve started getting issues with Kerberos credential delegation

I’m doing something like this

- name: "Copy File From Network Share"
  ansible.windows.win_copy:
    src: \\path\to\file.txt
    dest: C:\Temp\Test\
    remote_src: True
  become: True
  become_method: runas
  become_flags: logon_type=new_credentials logon_flags=netcredentials_only
  vars:
    ansible_become_user:  "{{ ansible_user_id }}"

and then I am running this with
ansible -i inventories/my_inventory.ini target_host copy_test.yml -u ansible_user_name -k -K

and get an error indicating that the file does not exist. I have verified that the files do exist, and that the user has permissions to them.

I’ve been working through both the double hop and winrm setup guides, specifically around kerberos and delegation.

Additionally, this “used to work” (as reported by the playbook authors).

The only thing I’ve found that might be relevant is cve-2025-26647 indicating a change in kerberos from Microsoft. My initial read of the provided documentation doesn’t seem like it would specifically impact this authentication flow, but the timing is too suspicious to ignore.

Has anyone see similar issues since that patch was deployed? Does anyone know of any work arounds (either in ansible directly, or domain changes)

Thanks.

2

The only thing I’ve found that might be relevant is cve-2025-26647 indicating a change in kerberos from Microsoft

That CVE is for Kerberos certificates and not something relevent to your playbook. Also just to be clear the become work used in Ansible is not related to Kerberos delegation, it is something done outside of the authentication mechanism that Kerberos sits at.

One thing I highly recommend you do is try it out with a hardcoded ansible_become_user and ansible_become_pass variable. That way you can complete rule out whether an incorrect variable or some other reference not passing through properly.

- name: "Copy File From Network Share"
  ansible.windows.win_copy:
    src: \\path\to\file.txt
    dest: C:\Temp\Test\
    remote_src: True
  become: True
  become_method: runas
  become_flags: logon_type=new_credentials logon_flags=netcredentials_only
  vars:
    ansible_become_user: hard code username
    ansible_become_pass: hard code password

This is just for a test to run with and verify whether become is working or not. I wouldn’t recommend using this method in a real environment.

If you were wanting to try out Kerberos delegation without become then using klist.exe on the remote side is your friend. It’ll show the Kerberos TGT information for the current session. Kerberos Authentication — Ansible Community Documentation goes into a lot more detail around Kerberos delegation and how to debug things there.

3

That was my reading too. But the timing makes me suspicious.

I’ll give this a try just to confirm, thanks.

4

This turned out to be an issue with the system providing the share not having the correct SPNs associated with it.

So when trying to do the second hop authentication, it was trying to auth to a machine “didn’t exist”.

Thanks to @jborean for the insights and helping me eliminate other possible causes.

5

Ah thanks for sharing what happened. That’s a good point to put on the docs and come up with a nice way to test it out. Kerberos delegation can only work if the outbound auth also uses Kerberos so if there is anything that would stop that (IPs, mismatched SPN, etc) then it won’t work. I’ll look at updating the docs with this sometime soon.