Hi,

I am trying to connect to a windows host using win_ping module. Also enabled Basic and Allowencrypted True on windows hosts as well. But still I am getting the error "“ssl: the specified credentials were rejected by the server” , trying with the local user which is under Adminitsrator Group. And we are able to login to the windows host successfully with the same username and password whatever I am giving in the group_vars/windows.yml.

ansible windows -m win_ping

testvm | UNREACHABLE! => {
“changed”: false,
“msg”: “ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}

There are multiple reasons why Windows will reject the credentials from Ansible which could be;

• The user is not part of the local administrator group
• As per your post this doesn’t seem to be the case- You are running over http and basic auth doesn’t support message encryption
• As per your post you have set Allowunencrypted=true so this shouldn’t be the case- Basic auth is disabled
• Once again it looks like you have enabled it- You have not configured the LocalAccountTokenFilterPolicy to the value of 1
  My bet is the last one, you can find out more info for this at https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows. Also our ConfigureRemotingForAnsible.ps1 https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 handles this for you, make sure you have a copy of the latest version if you are using this script.

On a side note, you should not be sett Allowunencrypted=true as this opens a big security hole for WinRM and it isn’t required for Ansible.

Thanks

Jordan

I am getting same issue. I cannot allow unencrypted winrm as thats set up gpo.

this is from my windows client

PS C:\scripts> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false [Source=“GPO”]
Auth
Basic = false [Source=“GPO”]
Digest = false [Source=“GPO”]
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false [Source=“GPO”]
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false [Source=“GPO”]
Auth
Basic = false [Source=“GPO”]
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false [Source=“GPO”]
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = * [Source=“GPO”]
IPv6Filter = * [Source=“GPO”]
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true [Source=“GPO”]
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647

It’s best to move to an Agent-Based configuration management Tool Such as SaltStack for Windows if your Machines are been managed by GPO which is preventing Ansible to Connect.
Or else configure everything before the machine joins the Domain

You WinRM service has been set to reject Basic auth. You need to change the auth to something like kerberos (for domain auth) or ntlm using the ansible_winrm_transport var.

Thanks I changed the auth to ntlm and works now

another question how do I use a domain account instead of a local administrator?

Just change the username and password to that domain account. Typically the user is either in the Netlogon ‘DOMAIN\user’ form or the UPN ‘user@DOMAIN.COM’ form. The latter is preferred as it’s what is required for Kerberos auth which should be used for domain logons.