Windows: kerberos: the specified credentials were rejected by the server

I am using the following ansible settings:

ansible_user: ‘myuser’
ansible_password: ‘mypass’
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_message_encryption: always
ansible_winrm_kerberos_delegation: true

ansible_user is a domain user - that has administrative rights on all the nodes.

Then I run win_ping command.

/usr/local/bin/ansible citrix_ch3 -m win_ping
ctx11 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: the specified credentials were rejected by the server”,
“unreachable”: true
}
ctx12 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}
ctx13 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}
ctx14 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

I get unreachable from just one host. This is the WinRM config on the machine that’s unreachable:

PS C:> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647

Any suggestions or help on how to potentially debug/resolve this problem?

Thank you all,

Subhi.

Make sure the time is synced between the Ansible host, your Windows host, and finally the domain controller. Kerberos is highly dependent on all this being aligned for the authentication to succeed.

Thanks

Jordan