Not able to ping windows machine through Ansible (winrm using credential option as CredSSP is being used)

Archives Ansible Project
1

Hi
I am running ansible 2.3.1.0 on centos7. The host(windows) machine is windows 8 with powershell.
I have installed pywinrm[credssp] (Authentication method credSSP is being used) on centos and included windows hostnames in the inventory file.

Below are the settings in group variables file:

ansible_user=Administrator
ansible_password=password
ansible_port:=5985
ansible_connection=winrm
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation=ignore

Now, windows machine is pinging form Centos (ping command is returning response). But, ping to windows machine is not successful through ansible:

ansible windows -m win_ping -v

window | FAILED! => {

“failed”: true,
“msg”: “winrm send_input failed”
}

I have also run the powershell script on the windows machine and it worked fine, winrm service is also running.

powershell.exe -File ConfigureRemotingForAnsible.ps1 -verbose

VERBOSE: Verifying WinRM service.

VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Enabled
VERBOSE: PS Remoting has been successfully configured for Ansible.

Any ideas what I am doing wrong?

2

I think you should run powershell script on your windows machine with -EnableCredSSP option like below.

powershell.exe -File ConfigureRemotingForAnsible.ps1 -EnableCredSSP

If you have already do this, it is helpful to run ansible module with -vvvvv option.

ansible windows -m win_ping -vvvvv

You can see the following statement on the command line if CredSSP authentification mode is properly configured.

WINRM CONNECT: transport=credssp endpoint=https://:/wsman

As a reference, below is my settings in group variable file:

ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp

It is noted that I’m also using the same ansible version 2.3.1.0 on CentOS 7.

3

Also enable credSSP authorization in winrm on the host:
winrm get winrm/config (to see the settings)
winrm set winrm/config/client/auth @{CredSSP=“True”}
or Set-Item -Path WSMan:\localhost\Service\Auth\CredSSP -Value $true

I would also check to make sure nothing else is using the default SSH listener (port 5986) I don’t think you want to use unsecure 5985, so you should set the ansible vars to 5986 and https. If that still doesn’t work maybe try adding ansible_winrm_transport: CredSSP after ansible_connection=winrm.

4

Thanks for the reply,
i applied all these thing but not able to solve my problem.

please look into the logs also and provide the possible solution:

2017-08-04 10:19:54,570 urllib3.connectionpool Starting new HTTPS connection (1): X.X.X.X
2017-08-04 10:19:54,598 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 401 0
2017-08-04 10:19:54,599 urllib3.connectionpool Resetting dropped connection: X.X.X.X
2017-08-04 10:19:54,612 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 401 0
2017-08-04 10:19:54,614 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 401 0
2017-08-04 10:19:54,616 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 401 0
2017-08-04 10:19:54,619 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 401 0
2017-08-04 10:19:54,642 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 200 1632
2017-08-04 10:19:54,648 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 200 847
2017-08-04 10:19:54,653 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 500 1267

2017-08-04 10:19:54,655 p=8231 u=root | [WARNING]: FATAL ERROR DURING FILE TRANSFER: Traceback (most recent call last): File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line
267, in _winrm_exec self._winrm_send_input(self.protocol, self.shell_id, command_id, data, eof=is_last) File “/usr/lib/python2.7/site-
packages/ansible/plugins/connection/winrm.py”, line 248, in _winrm_send_input protocol.send_message(xmltodict.unparse(rq)) File “/usr/lib/python2.7/site-
packages/winrm/protocol.py”, line 207, in send_message return self.transport.send_message(message) File “/usr/lib/python2.7/site-packages/winrm/transport.py”,
line 202, in send_message raise WinRMTransportError(‘http’, error_message) WinRMTransportError: (u’http’, u’Bad HTTP response returned from server. Code 500’)

2017-08-04 10:19:54,658 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 200 757
2017-08-04 10:19:54,660 urllib3.connectionpool https://X.X.X.X:5986 “POST /wsman HTTP/1.1” 200 602
2017-08-04 10:19:54,665 p=8231 u=root | X.X.X.X | FAILED! => {
“failed”: true,
“msg”: “winrm send_input failed”

5

Seems like it is using https 5986 and you have specified 5985 , maybe
because there is a ':' in your variable ansible_port:=5985, is this a
typo ? and make sure the variables are applied to the task/play

6

This seems like it could be an SSL wedging issue I’ve seen from time to time. It is a weird issue where the combination of the OpenSSL version (usually older ones) that Python is compiled to use and the cipher suite selection on the remote server causes the SSL connection to lock up. Depending on the age of the server that Ansible runs on OpenSSL is probably going to be the issue, I’ve found MacOS is notorious for this as they use a pretty ancient version by default. There is a tool called IIS Crypto that can change the SChannel settings on the Windows box, I recommend using it and setting the Best Practices for the Schannel window and Cipher Suites… The tool can be found here https://www.nartac.com/Products/IISCrypto but I’m not sure if it works for the desktop Window’s OSs.

One thing you can do to rule out the SSL wedging issue is to run Ansible over HTTP (just for testing). To do this go onto your Windows box and run

winrm set winrm/config/service @{AllowUnencrypted=“true”}

Now in your host vars, set

ansible_port=5985

Run your playbook and you should see that your playbook will be running over http://X.X.X.X:5985/wsman and hopefully it works.

After your test make sure you re-enable the WinRM encryption check with

winrm set winrm/config/service @{AllowUnencrypted=“false”}

If this fixed the issue for you, bad news your SSL settings is causing some incomptabilities but you have 3 options available to continue forward

  1. Use HTTP with message encryption disabled (highly recommended to NOT do this)
  2. Use this (https://github.com/diyan/pywinrm/pull/156) pre-release build of pywinrm which enables message encryption with NTLM and CredSSP so you can run over HTTP and still have message encryption (this should be released soon but it technically hasn’t been released yet)
  3. Download the latest version of OpenSSL and compile your Python install to use this instead of the system default. Also play around with the cipher suite selection on Windows box using the ISSCrypto tool

If it didn’t fix it, not sure what the issue would be but knowing as much about your environment such as how the computer was installed and other settings might help us narrow it down.

Some previous issues where this has been seen before

https://github.com/ansible/ansible/issues/18468
https://github.com/ansible/ansible/issues/16266

https://groups.google.com/forum/#!msg/ansible-project/6KeQNkfP0pI/O-hu6W0YBAAJ

7

sorry my mistake, ansible_port:=5985 just typing mistake.
and i changed port 5985 to 5986, that is why it is 5986

8

Do you need CredSSP? I would try NTLM if not. Maybe run NETSTAT see if it shows 5986 open and listening if you haven’t already. You can also run winrm enumerate winrm/config/listener on the host to see if a hostname is assigned. When did you install pywinrm. If it’s been a while might want to install newest version.