So I am running into a very strange issue. Using ntlm I cannot get any successful authentication through Ansible – even with the local admin user, which works over SSL.
I have tried following the steps here to no avail. I tried granting my specific user full access, I tried with a user that should be in the Domain Admins group, nothing. Any suggestions?
Hey
There is a myriad of reasons why this might not work but here is where I would start. Run the following commands in Powershell and paste the info here and we should be able to help a bit more
`
Write-Host “WinRM Service Settings”
winrm get winrm/config/service
Write-Host “WinRM Listener Info”
winrm enumerate winrm/config/Listener
$listener = Get-WSManInstance -ResourceURI ‘winrm/config/Listener’ -SelectorSet @{ Transport = “HTTPS”; Address = “*” }
if ($listener) {
$thumbprint = $listener.CertificateThumbprint
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint }
if ($certificate) {
Write-Host “Certificate Metadata”
Write-Host “Signature Algorithm: $($certificate.SignatureAlgorithm.FriendlyName)”
Write-Host “Valid To: $($certificate.NotAfter.DateTime)”
} else {
Write-Host “Unable to find certificate info for thumbprint: $thumbprint”
}
}
`
Other things that would be good to know if the version of your pywinrm and dependencies, are you able to run the below and tell us the version of pywinrm, requests-ntlm and ntlm-auth.
pip list
You can also try and just connecting to your Windows Server directly with Powershell to try and rule out whether it is pywinrm or some host configuration.
Thanks
Jordan
`
winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
`
`
winrm enumerate winrm/config/Listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 129.65.138.91, ::1
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = RM100B2
Enabled = true
URLPrefix = wsman
CertificateThumbprint = B33FC6258B1CD23BA3191BD0FCBCC27E530432BC
ListeningOn = 127.0.0.1, 129.65.138.91, ::1
`
`
Write-Host “Signature Algorithm: $($certificate.SignatureAlgorithm.FriendlyName)”
Signature Algorithm: sha1RSA
Write-Host “Valid To: $($certificate.NotAfter.DateTime)”
Valid To: Wednesday, January 03, 2018 4:38:29 AM
`
From pip list:
requests-ntlm (0.3.0) pywinrm (0.2.2) ntlm-auth (1.0.4)
Thanks for the info from what you have given me there is a chance that your NTLM level is set to NTLMv2 only and the libraries installed on your Ansible host don’t support that. You can verify that by running in Powershell
(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name LmCompatibilityLevel).LmCompatibilityLevel
If the value returned is 3 or greater then the Server only supports NTLMv2 with NTLM (https://technet.microsoft.com/en-us/library/cc960646.aspx). There was a big update to requests-ntlm (1.0.0) which changed the dependency from python-ntlm3 to ntlm-auth which supports things like NTLMv2 and other stuff absent from python-ntlm3. If you can update this library and try again I am hoping it will fix your issue.