Hi All,

I faced below error on 1 of my windows machine. this windows machine is joined domain.

ansible -i inventory winoct -m win_ping -vvvvvvv

ansible 2.6.1

config file = /etc/ansible/ansible.cfg

configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]

ansible python module location = /usr/lib/python2.7/site-packages/ansible

executable location = /bin/ansible

python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Using /etc/ansible/ansible.cfg as config file

setting up inventory plugins

Parsed /root/inventory inventory source with ini plugin

Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc

META: ran handlers

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1

<10.10.10.111> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.111

checking if winrm_host 10.10.10.111 is an IPv6 address

<10.10.10.111> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.111:5986/wsman

<10.10.10.111> WINRM CONNECTION ERROR: the specified credentials were rejected by the server

Traceback (most recent call last):

File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 387, in _winrm_connect

self.shell_id = protocol.open_shell(codepage=65001) # UTF-8

File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 157, in open_shell

res = self.send_message(xmltodict.unparse(req))

File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 234, in send_message

resp = self.transport.send_message(message)

File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 256, in send_message

response = self._send_message_request(prepared_request, message)

File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 266, in _send_message_request

raise InvalidCredentialsError(“the specified credentials were rejected by the server”)

InvalidCredentialsError: the specified credentials were rejected by the server

10.10.10.111 | UNREACHABLE! => {

“changed”: false,

“msg”: “ssl: the specified credentials were rejected by the server”,

“unreachable”: true

}

meanwhile other Windows machine are fine.

ansible -i inventory sysad -m win_ping -vvvvvvv

ansible 2.6.1

config file = /etc/ansible/ansible.cfg

configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]

ansible python module location = /usr/lib/python2.7/site-packages/ansible

executable location = /bin/ansible

python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Using /etc/ansible/ansible.cfg as config file

setting up inventory plugins

Parsed /root/inventory inventory source with ini plugin

Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc

META: ran handlers

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1

<10.10.10.32> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.32

checking if winrm_host 10.10.10.32 is an IPv6 address

<10.10.10.32> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.32:5986/wsman

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1

<10.10.10.41> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.41

checking if winrm_host 10.10.10.41 is an IPv6 address

<10.10.10.41> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.41:5986/wsman

<10.10.10.41> WINRM OPEN SHELL: A85A2BD2-9622-4FBF-9F05-DF1832010881

EXEC (via pipeline wrapper)

<10.10.10.41> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-ExecutionPolicy’, ‘Unrestricted’, ‘-’]

<10.10.10.32> WINRM OPEN SHELL: E38B8407-E794-40AF-99A2-850153CACD80

EXEC (via pipeline wrapper)

<10.10.10.32> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-ExecutionPolicy’, ‘Unrestricted’, ‘-’]

<10.10.10.32> WINRM RESULT u’<Response code 0, out "{“changed”:false,“pi”, err “”>’

<10.10.10.32> WINRM STDOUT {“changed”:false,“ping”:“pong”}

<10.10.10.32> WINRM STDERR

<10.10.10.32> WINRM CLOSE SHELL: E38B8407-E794-40AF-99A2-850153CACD80

10.10.10.32 | SUCCESS => {

“changed”: false,

“ping”: “pong”

}

<10.10.10.41> WINRM RESULT u’<Response code 0, out "{“changed”:false,“pi”, err “”>’

<10.10.10.41> WINRM STDOUT {“changed”:false,“ping”:“pong”}

<10.10.10.41> WINRM STDERR

<10.10.10.41> WINRM CLOSE SHELL: A85A2BD2-9622-4FBF-9F05-DF1832010881

10.10.10.41 | SUCCESS => {

“changed”: false,

“ping”: “pong”

}

META: ran handlers

META: ran handlers

winrm get winrm/config ( for 3 of the windows machine are same config )

any help would be much appreciated.

Thank you

There are numerous scenarios that can cause an authentication problem, such as;

• The credentials you are using are actually incorrect, or you haven’t specified the password in Ansible correctly

• The account is disabled or locked on the Windows host

• If using Basic auth (you are), you need to enable Basic auth on the server, “Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true”

• The account does not have rights to log on through the network, https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network

• The account is not part of the local Administrators group, or if a non admin account you haven’t given it permission

• You are using a domain account over Basic auth, use Kerberos (preferably) or NTLM/CredSSP

• You are using Basic auth over HTTP, this is not encrypted and Windows will reject the process (I see this isn’t your case as you are running over HTTPS)

• The LocalAccountTokenFilterPolicy is not set to 1 (only for local admin accounts that is not the BUILTIN\Administrator account), https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
  Thanks

Jordan

Thank you Jordan!
I managed connect using Kerberos instead of using ssl. For ssl connection I think i need to create self signed cert as mention here http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure.