I’m running into an issue connecting from an Ubuntu 16.04 system to a Windows 2012 Server on a domain:
afisher@ubuntu:~/Projects/build-utils/ansible-playbooks$ ansible windows -i inventory.yml -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/init.pyc
[WARNING]: ansible_winrm_cert_validation unsupported by pywinrm (is an up-to-date version of pywinrm installed?)
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/windows/win_ping.ps1
<edprjenslave03.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: afisher@DOMAIN.COM on PORT 5985 TO edprjenslave03.DOMAIN.COM edprjenslave03.DOMAIN.COM | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: (u’http’, u’Bad HTTP response returned from server. Code 500’), plaintext: the specified credentials were rejected by the server”,
“unreachable”: true
}
At first it was just refusing without the kerberos part of the error. Realized I didn’t have Kerberos installed. Remedied that:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: afisher@DOMAIN.COM
Valid starting Expires Service principal
05/02/2017 09:23:47 05/02/2017 19:23:47 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 05/03/2017 09:23:41
05/02/2017 09:49:54 05/02/2017 19:23:47 HTTP/edprjenslave03.domain.com@
renew until 05/03/2017 09:23:41
05/02/2017 09:49:54 05/02/2017 19:23:47 HTTP/edprjenslave03.domain.com@DOMAIN.COM
renew until 05/03/2017 09:23:41
Tried adding the user to the local administrators, no dice.
Confirmed that I indeed do have the latest version of pywinrm installed:
afisher@ubuntu:~/Projects/build-utils/ansible-playbooks$ sudo -H pip install --upgrade pywinrm
Requirement already up-to-date: pywinrm in /usr/local/lib/python2.7/dist-packages
Requirement already up-to-date: xmltodict in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: requests-ntlm>=0.3.0 in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: six in /usr/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: requests>=2.9.1 in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: ntlm-auth>=1.0.2 in /usr/local/lib/python2.7/dist-packages (from requests-ntlm>=0.3.0->pywinrm)
WinRM is an annoying mechanism with very unhelpful error messages so this could potentially be a few things that could be causing your issue.
The first thing is that pywinrm doesn't play nice wth HTTP end points unless you disable the majority of the security configurations like AllowUnencrypted=true so try and setup a HTTPS endpoint and use that. The script here https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 will set one up for you with a self signed certificate which is good to use for testing.
There are some particular WinRM auth settings that are not fully supported as welll currently like CbtHardeningLevel set to strict with Kerberos. If you run "winrm get winrm/config/service/auth" you can see what level it is currently set at. You can also see if Kerberos auth is actually enabled. If your workplace mandates this need to be set to Strict for security purposes your only options would be to use NTLM or CredSSP which currently supports CBT.
Have a go with these 2 thing ad let us know if you still have any issues.
Id suggest switching to port 5986 which is the https winrm listener port too. If you have run the configure for remoting script successfully that should work.
Also, use ansible 2.3 as it has built in support for acquiring Kerberos (active directory) tickets. You still need to configure your krb5.conf and install the Kerberos libs as listed in the wndows setup documentation of course.
I switched to the local administrator account. I also re-ran the ConfigureRemotingForAnsible script. Now I get the dreaded “the specified credentials were rejected by the server” error
PS C:\Users\afisher\Documents> C:\Users\afisher\Documents\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Enabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
I would only allow unencrypted messages for testing and debugging purposes and never in any production capacity due to the security risk when running over HTTP. Useful in this case to see if the HTTP endpoint works but should be turned back off eventually.
Some other things to try
- use a real powershell host and connect with those credentials, will verify if the account is valid and has enough permissions
- use pywinrm direct and manually get a Kerberos ticket using kinit, will see if Ansible is getting the tickets correctly
- try using NTLM as a test instead, will see if the problem is in the Kerberos auth somewhere
- scan the Windows security event logs and try and find the reason it is rejecting each request
Just got done configuring some Windows hosts with Ansible Tower.
Use port 5986 because AllowUnencrypted=False will prevent 5985 from working (for good reason!) w/ Kerberos
Use a certificate on 5986, I noticed your CertThumbprint is missing
Ensure 5986 firewall port is open
Test connecting via Powershell (Invoke-Command -ComputerName blah -Credential username -Authentication Kerberos -UseSSL -Port 5986 { echo ‘Hello World’ })
You can run the ConfigureRemotingForAnsible.ps1 script to do this all for you and test the connection. I actually made some PRs to it this week to enhance it.
Since your machine is domain-joined, I recommend using the machine certificate that gets provisioned (not required). My PR contribution adds this to the ansible remoting script, but you can modify the existing script to do it.