Power Shell remoting (WinRM trust) not working with Active Directory Kerberos Authentication

Hi All,

We are using Ansible Version: 2.4.2.0.

Power Shell remoting (WinRM trust) is not working when using Active Directory even after establishing:

Successful Kerberos Authentication:

Default principal: automation@ITRNETWORK.COM

Valid starting Expires Service principal

02/26/2018 09:23:25 02/26/2018 19:23:25 krbtgt/ITRNETWORK.COM@ITRNETWORK.COM

renew until 03/05/2018 09:23:19

[root@calam1 group_vars]#

Following are test results:

[root@calam1 group_vars]# ansible windows-jump-servers -m win_ping

pcijmp1.itrnetwork.com | UNREACHABLE! => {

“changed”: false,

“msg”: “ssl: the specified credentials were rejected by the server”,

“unreachable”: true

}

Contents of file /etc/ansible/group_vars/windows-jump-servers.yml:

ansible_user: automation

ansible_password: <my_password>

ansible_port: 5986

ansible_connection: winrm

ansible_winrm_scheme: https

ansible_winrm_server_cert_validation: ignore

It works OK with a local user on the same domain joined Windows server.

Can someone help to verify cause and advice how to resolve this?

Thank you,
Dinesh Vashisht

try using

ansible_user: automation@ITRNETWORK.COM

as the user name. Without this ansible will expect ‘automation’ to be a local user, not a domain user.

Also, if you are wanting to control remote resources (file shares on other machines) via ansible and a windows jump host, its worth setting
`

ansible_winrm_kerberos_delegation: yes

`

… as well.

If you are just getting started with ansible and windows, this page is well worth reading: http://docs.ansible.com/ansible/devel/user_guide/windows_usage.html

Hope this helps,

Jon

Thank you Jon,

Your advice worked:

pcijmp1.itrnetwork.com | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

Regards,
Dinesh Vashisht