Windows Kerberos Issues

Jim_Heald · June 8, 2017, 3:59pm

I’m trying to use Ansible to log into a Windows host, and I’m having issues logging in.

My Ansible server is joined to the domain
DNS lookup works, as well as in reverse
I can log into the Windows hosts as a local user through Ansible
Running something like “id @” works on my Ansible server
The error I am getting is this: “msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,

I can ping the host, and like I said both DNS and Reverse DNS work. I know for sure the host is joined to the domain, and I’m pretty certain the Linux server is joined to the domain. Any suggestions?

Thanks!

system · June 8, 2017, 4:49pm

The domain status of the Ansible controller shouldn’t matter. If DNS is working, the typical remaining causes of that error are not using the FQDN of the target host in your Ansible inventory, or that the host’s HTTP SPN has been reassigned to another user.

Also, if you don’t absolutely need to use Kerberos, NTLM or CredSSP are much easier ways to do domain user auth…

Jim_Heald · June 8, 2017, 7:41pm

I would love to use NTLM or CredSSP because Kerberos is a bit of a PITA it seems. Do those transports require host configuration? If I simply change the transport to ntlm I get:

“msg”: “ntlm: the specified credentials were rejected by the server”

And with CredSSP I get:

“msg”: “credssp: The server did not respond with CredSSP as an available auth method”

j.r.hawkesworth · June 12, 2017, 5:43pm

There’s a command line switch you have to use on the ConfigureRemotingForAnsible.ps1 if you want to use CredSSP I think.

Re your kerberos problem, has the windows box you are trying to hit actually been joined to the domain?

jborean · June 12, 2017, 10:06pm

The switch to enable CredSSP when running ConfigureRemotingForAnsible.ps1 is

powershell.exe -ExecutionPolicy Bypass -File ConfigureRemotingForAnsible.ps1 -EnableCredSSP

You can also just enable it manually by running

Enable-WSManCredSSP -role server -Force

As for your Kerberos I find if your DNS isn’t set correctly and you have SPN issues then you are going to have a bad time. You can use

setspn -L COMPUTERACCOUNT

where COMPUTERACCOUNT is the account in AD for the host to see a list of SPN’s registered to that host.

Jim_Heald · June 12, 2017, 11:30pm

Thank you! I actually just got CredSSP working, so much easier!

Topic		Replies	Views
Kerberos Authentication Failed \| kerberos: authGSSClientStep() failed \| Help URGENT Ansible Project windows	6	3	April 3, 2020
Ansible Windows Ansible Project windows	2	0	April 19, 2017
kerberos Ansible Project windows	2	0	May 15, 2020
Error while doing kerbrose connection from Ansible to Windows Ansible Project windows	3	0	July 26, 2016
CredSSP / Windows Server to Windows Domain Controller Ansible Project windows , aws	5	1	July 26, 2018

Windows Kerberos Issues

Related topics