ansible winrm : the specified credentials were rejected by the server

[Hmdi Bz]

Hi,

I'm using ansible on centos 7 guest on virtualBox using a bridged network with a windows host

they can both ping each other. (windows address: 192.168.1.2, centos7 address: 192.168.1.3)

I'm using a  basic winrm connection and I've already executed configureRemotingForAnsible.ps1 successfuly on the host  along with these two commands:

winrm set winrm/config/service/auth '@{Basic="true"}'

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

I've also disabled firewall on both sides.

My windows account is not part of any Domain.

ansible version is 2.2.1.0

the inventory file:  inv.ini

    [windowsTest]

    192.168.1.2

    [windowsTest:vars]

    ansible_username=myUsername

    ansible_password=myPassword

    ansible_port=5985

    ansible_connection=winrm

    ansible_winrm_scheme=http

    ansible_winrm_server_cert_validation=ignore

    ansible_winrm_transport=basic

when I execute :

   

   $ ansible windowsTest -i inv.ini -m win_ping

I get this error:

192.168.1.2 |Unreachable! => {

   "changed": false,

   "msg": "basic: the specified credentials were rejected by the server",

   "unreachable": true

}

any Help?

[J Hawkesworth]

"the specified credentials were rejected by the server" can often mean the password doesn't match what's expected for the user name.

Are you using a domain login?  If so you'll need to set up the kerberos support.  If not check the windows event log to see which user it reckons you are logging in as.

Hope this helps,

Jon

[Dag Wieers]

On Tue, 14 Feb 2017, Hmdi Bz wrote:

> when I execute :
>
> $ ansible windowsTest -i inv.ini -m win_ping
>
> I get this error:
>
> 192.168.1.2 |Unreachable! => {
> "changed": false,
> "msg": "basic: the specified credentials were rejected by the server",
> "unreachable": true
> }

Could you run this with -vvvv added ?

It may give you some more information to what is going on.

--
Dag

[Trond Hindenes]

Pretty sure thats not a password issue, I think the error text is different.

Is the user a member of administrators?

[Hmdi Bz]

Yes the password is correct and no the user is a standard one not an admin
is it necessary to be admin to just use win_ping??

[Hmdi Bz]

no I'm not using a domain login, just a normal user (not an admin) , the User Account Control is disabled.

update:

I've tried to win_ping to the admin account and it work, the thing is I need it to work with just a normal account

[J Hawkesworth]

Winrm is intended for system administration, so using with a regular, non administrator user might not have sufficient grants/permissions.

Can you make your local user a local administrator perhaps?

[Trond Hindenes]

I think it's possible to tweak the winrm service to allow non-admin logins but still - lots of the operations you perform against the server requires administrator proveliges anyways so I don't see the point in spending time on it.

[Jordan Borean]

You definitely can allow a non admin account to run through WinRM but it is definitely not something that is enabled by default and would require some fiddling with the SSDL and endpoint ACLs. This issue has most of the information that is required to add a non admin https://github.com/ansible/ansible/issues/16478. Trond is right though usually you require admin priviledges to do anything in Windows like install applications or change config so I don't see there being a large case for this in Ansible. Happy to be proven otherwise though.

[Trond Hindenes]

More interesting would be to use restricted endpoints, which lets you execute stuff as a different user as the one you're logging in with. That way you'd have one credential that would actually do all the things, and another credential to connect with. Unsure whether pywinrm supports it - maybe Matt would know?

[nhs...@gmail.com]

Hello Hmdi,

Did you solve this problem? I had the same error message as you. I set up a local service account on a windows server and I can't ping that server using win_ping. Does that user have to be part of administration group or standard group?

Thanks!

[Karoly VEGH]

On Tuesday, February 14, 2017 at 7:20:28 PM UTC+1, Hmdi Bz wrote:

winrm set winrm/config/service/auth '@{Basic="true"}'

winrm set winrm/config/service '@{AllowUnencrypted="true"}'

I can't thank you enough for the AllowUnencrypted="true" part.
This was the last drop to enable my config working.

If you're ever in Vienna/Austria, you're in for a coffee.

 
wbr, 

charlie 
 
-- 
Karoly "Charlie" VEGH

[Jordan Borean]

I can't stress this enough, do not set AllowUnencrypted="true" on your Windows hosts. This may have been needed a few years ago but today you can easily set up a HTTPS listener with a self signed certificate or use message encryption with NTLM, Kerberos or CredSSP authentication. If you do set this then you could be paying more than just the price of a coffee once a hacker has seen all the WinRM communication in plaintext.

Thanks

Jordan

[Karoly VEGH]

On Tuesday, September 11, 2018 at 10:05:51 PM UTC+2, Jordan Borean wrote:

I can't stress this enough, do not set AllowUnencrypted="true" on your Windows hosts. This may have been needed a few years ago but today you can easily set up a HTTPS listener with a self signed certificate or use message encryption with NTLM, Kerberos or CredSSP authentication. If you do set this then you could be paying more than just the price of a coffee once a hacker has seen all the WinRM communication in plaintext.

I completely agree.
Yet, this was only a demo environment and this was the easiest way to get the damn winrm working from ansible - of course it is not an option for production.

wbr,

charlie

[Mike V]

Thank you for this thread! Also had to change network profile to private, then run the winrm set command

[Aviya Singh]

Hi,

I have tried the below activity and still I am getting the same error.

Any Help?