"kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

[Allen Fisher]

Hi All--

I'm running into an issue connecting from an Ubuntu 16.04 system to a Windows 2012 Server on a domain:

afisher@ubuntu:~/Projects/build-utils/ansible-playbooks$ ansible windows -i inventory.yml -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
 [WARNING]: ansible_winrm_cert_validation unsupported by pywinrm (is an up-to-date version of pywinrm installed?)
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/windows/win_ping.ps1
<edprjenslave03.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: afi...@DOMAIN.COM on PORT 5985 TO edprjenslave03.DOMAIN.COM
edprjenslave03.DOMAIN.COM | UNREACHABLE! => {
    "changed": false, 
    "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", 
    "unreachable": true
}

At first it was just refusing without the kerberos part of the error. Realized I didn't have Kerberos installed. Remedied that:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: afi...@DOMAIN.COM
Valid starting       Expires              Service principal
05/02/2017 09:23:47  05/02/2017 19:23:47  krbtgt/DOMAI...@DOMAIN.COM
renew until 05/03/2017 09:23:41
05/02/2017 09:49:54  05/02/2017 19:23:47  HTTP/edprjenslave03.domain.com@
renew until 05/03/2017 09:23:41
05/02/2017 09:49:54  05/02/2017 19:23:47  HTTP/edprjenslave...@DOMAIN.COM
renew until 05/03/2017 09:23:41

Tried adding the user to the local administrators, no dice.

Confirmed that I indeed do have the latest version of pywinrm installed:

afisher@ubuntu:~/Projects/build-utils/ansible-playbooks$ sudo -H pip install --upgrade pywinrm
Requirement already up-to-date: pywinrm in /usr/local/lib/python2.7/dist-packages
Requirement already up-to-date: xmltodict in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: requests-ntlm>=0.3.0 in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: six in /usr/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: requests>=2.9.1 in /usr/local/lib/python2.7/dist-packages (from pywinrm)
Requirement already up-to-date: ntlm-auth>=1.0.2 in /usr/local/lib/python2.7/dist-packages (from requests-ntlm>=0.3.0->pywinrm)

Here's my inventory file:

---
[windows]
edprjenslave03.DOMAIN.COM

Here's my group_vars/windows.yml

---
ansible_user: afi...@DOMAIN.COM
ansible_password: the_pass
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_cert_validation: ignore

Any ideas? I'm starting to run out of tricks.

Thanks!

Allen

[Jordan Borean]

WinRM is an annoying mechanism with very unhelpful error messages so this could potentially be a few things that could be causing your issue.

The first thing is that pywinrm doesn't play nice wth HTTP end points unless you disable the majority of the security configurations like AllowUnencrypted=true so try and setup a HTTPS endpoint and use that. The script here https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 will set one up for you with a self signed certificate which is good to use for testing.

There are some particular WinRM auth settings that are not fully supported as welll currently like CbtHardeningLevel set to strict with Kerberos. If you run "winrm get winrm/config/service/auth" you can see what level it is currently set at. You can also see if Kerberos auth is actually enabled. If your workplace mandates this need to be set to Strict for security purposes your only options would be to use NTLM or CredSSP which currently supports CBT.

Have a go with these 2 thing ad let us know if you still have any issues.

[J Hawkesworth]

Id suggest switching to port 5986 which is the https winrm listener port too. If you have run the configure for remoting script successfully that should work.

Also, use ansible 2.3 as it has built in support for acquiring Kerberos (active directory) tickets. You still need to configure your krb5.conf and install the Kerberos libs as listed in the wndows setup documentation of course.

Hole this helps,

Jon

[Allen Fisher]

Thanks Jordan and J.

I switched to the local administrator account. I also re-ran the ConfigureRemotingForAnsible script. Now I get the dreaded "the specified credentials were rejected by the server" error

PS C:\Users\afisher\Documents> C:\Users\afisher\Documents\ConfigureRemotingForAnsible.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
VERBOSE: HTTP: Enabled | HTTPS: Enabled
VERBOSE: PS Remoting has been successfully configured for Ansible.

I've tried both ports... 

[Jordan Borean]

Can you post the results of "winrm get winrm/config/service" here to show us your WinRM configuration.

[Allen Fisher]

Sure thing:

PS C:\Users\Administrator> winrm get winrm/config/service
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

[cupcake]

allow unencrypted:  

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

 

[Jordan Borean]

I would only allow unencrypted messages for testing and debugging purposes and never in any production capacity due to the security risk when running over HTTP. Useful in this case to see if the HTTP endpoint works but should be turned back off eventually.

Some other things to try
- use a real powershell host and connect with those credentials, will verify if the account is valid and has enough permissions
- use pywinrm direct and manually get a Kerberos ticket using kinit, will see if Ansible is getting the tickets correctly
- try using NTLM as a test instead, will see if the problem is in the Kerberos auth somewhere
- scan the Windows security event logs and try and find the reason it is rejecting each request

[Kamran Ayub]

Just got done configuring some Windows hosts with Ansible Tower.

- Use port 5986 because AllowUnencrypted=False will prevent 5985 from working (for good reason!) w/ Kerberos

- Use a certificate on 5986, I noticed your CertThumbprint is missing

- Ensure 5986 firewall port is open

- Test connecting via Powershell (Invoke-Command -ComputerName blah -Credential username -Authentication Kerberos -UseSSL -Port 5986 { echo 'Hello World' })

You can run the ConfigureRemotingForAnsible.ps1 script to do this all for you and test the connection. I actually made some PRs to it this week to enhance it.

Since your machine is domain-joined, I recommend using the machine certificate that gets provisioned (not required). My PR contribution adds this to the ansible remoting script, but you can modify the existing script to do it.

[ashokkum...@gmail.com]

resolved the above error by uncommenting the line " 127.0.0.1 localhost " in C:\Windows\System32\drivers\etc\hosts file, then it works

[ashokkum...@gmail.com]

[ashokkum...@gmail.com]

resolved the above error by uncommenting the line " 127.0.0.1 localhost " in C:\Windows\System32\drivers\etc\hosts file, then it works

[satees...@gmail.com]

Hi,

I am getting following error when i am trying to run a playbook to config a windows machine,

Msg: basic: Bad HTTP response returned from server . code 404.

actually the error getting at gathering facts: i have given my windows host name 

On Tuesday, May 2, 2017 at 2:33:36 PM UTC-4, Allen Fisher wrote:

Hi All--

I'm running into an issue connecting from an Ubuntu 16.04 system to a Windows 2012 Server on a domain:

afisher@ubuntu:~/Projects/build-utils/ansible-playbooks$ ansible windows -i inventory.yml -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
 [WARNING]: ansible_winrm_cert_validation unsupported by pywinrm (is an up-to-date version of pywinrm installed?)
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/windows/win_ping.ps1
<edprjenslave03.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: afi...@DOMAIN.COM on PORT 5985 TO edprjenslave03.DOMAIN.COM
edprjenslave03.DOMAIN.COM | UNREACHABLE! => {
    "changed": false, 
    "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", 
    "unreachable": true
}

At first it was just refusing without the kerberos part of the error. Realized I didn't have Kerberos installed. Remedied that:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: afi...@DOMAIN.COM
Valid starting       Expires              Service principal
05/02/2017 09:23:47  05/02/2017 19:23:47  krbtgt/DOMAI...@DOMAIN.COM
renew until 05/03/2017 09:23:41
05/02/2017 09:49:54  05/02/2017 19:23:47  HTTP/edprjenslave03.domain.com@
renew until 05/03/2017 09:23:41

05/02/2017 09:49:54  05/02/2017 19:23:47  HTTP/edprjenslave03.domain.c...@DOMAIN.COM

renew until 05/03/2017 09:23:41

[satees...@gmail.com]

hi,

[webserver]

ssk.ms.com

[webserver:vars]

ansible_user=windows

ansible_password=PWD

ansible_connection=winrm

ansible_winrm_transport=basic

ansible_winrm_scheme=http

ansible_port=5985

#ansible_winrm_operation_timeout_sec=60

#ansible_winrm_read_timeout_sec=70

ansible_winrm_server_cert_validation=ignore

this is my inventory file,  when i run my main.yml file is 

---

- hosts: webserver

  gather_facts: true

  tasks:

    - name: create a file on windows server

      win_file:

        path: C:/temp/hello

        state: touch

    - name: Install IIS

      win_feature:

        name: Web-Server

        state: present

        restart: no

        include_management_tools: True

        include_sub_features: True

I have open port 5985, i can able to telnet the server with 5985 port number but still i am getting the error 

fatal: server: unreachable

msg: "basic : Bad HTTP response returned from server. code 404"

Thanks,

sateesh

[Nk Chitturi]

Use Kerbors it works.

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/621ec7c6-433d-45af-a92d-4b4ef8f5d07e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[sateesh s]

I tried with Kerberos 

I am getting error 

Msg: Kerberos: requested with method is jerboas, but request- kerbose is not installed

I tried to run cmd pip install request-kerberos

But firewall restricting 

Is there any other way 

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/E285C771-3ACF-42DB-A160-A766671AD617%40gmail.com.