Login Credentials were rejected for Computers Attached to Active Directory

703 views
Skip to first unread message

Rajagopal Subramanian

unread,
Jul 10, 2016, 3:02:02 PM7/10/16
to Ansible Project

I have three 3 Windows computers. One is Windows server 2012, Other two are Windows 7 Desktop. Through Ansible I can individually manage all 3 windows machine through their local login account. Ansible Work Perfectly.


Now I configure AD in windows server 2012 and I joined two desktop computer to AD. Through Active Directory's Administrator Account I can login through all 3 Windows Machines.


To Manage AD Account in ansible I installed keberos as mentioned in this documentaion.


My Configurations are as follow:


/etc/krb5.conf


[libdefaults]

default_realm = NAANAL.IN

[realms]

NAANAL.IN = {
    kdc = WIN2012.naanal.in
    default_domain = naanal.in
}

[domain_realm]

.naanal.in = NAANAL.IN

[login]

krb4_convert = true
krb4_get_tickets = false


Connection and Ticket Details:


kinit Admini...@NAANAL.IN
Password for Admini...@NAANAL.IN:



klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Admini...@NAANAL.IN

Valid starting       Expires              Service principal
2016-07-10T20:41:25  2016-07-11T06:41:25  krbtgt/NAAN...@NAANAL.IN
    renew until 2016-07-11T20:40:33


Now I just try to ping my all windows machines through the account Admini...@NAANAL.IN


Here is my Configuration and output :


hosts


[windows]
192.168.1.13  -> Windows 7 Desktop Attached to AD
192.168.1.23  -> Windows 7 Desktop Attached to AD
172.30.64.77  -> Windows 2012 with AD


group_vars/windows.yaml


ansible_user: Admini...@NAANAL.IN
ansible_password: p@ssw0rd1
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore


While I run ansible windows -i hosts -m win_ping


192.168.1.13 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
192.168.1.23 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
172.30.64.77 | SUCCESS => {
"changed": false,
"ping": "pong"
}


i.e In Ansible, I can't login into computers attached to AD through AD user account. Where I miss things ?


Note: I enabled Remote Connections in Desktops. Also tried with firewall disabled.

J Hawkesworth

unread,
Jul 11, 2016, 5:54:58 AM7/11/16
to Ansible Project
So, for some reason it is trying to connect via ssl and not kerberos.

I can think of two things for you to try:

1/ ensure you have install the python kerberos library as described here: http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos

Without this ansible will 'fall back' to attempting ssl connection, which will fail as you are using a domain user.  This is also needed (it is not included the packages listed here): http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos-dependencies

2/ Switch to hostnames instead of ip addresses in your inventory.  Kerberos needs fully functioning DNS to work properly.

Hope this helps,

Jon
Reply all
Reply to author
Forward
0 new messages