Ansible client host in windows 2016 server

54 views
Skip to first unread message

Tharindu Weerakoon

unread,
Dec 11, 2018, 5:05:03 AM12/11/18
to Ansible Project
Dears,

Anyone has recommended document of link for configure ansible in win 2016 with selfsign cert.
 Tharindu

Dick Visser

unread,
Dec 11, 2018, 7:32:05 AM12/11/18
to ansible...@googlegroups.com
On Tue, 11 Dec 2018 at 11:05, Tharindu Weerakoon <thari...@gmail.com> wrote:
>
> Dears,
>
> Anyone has recommended document of link for configure ansible in win 2016 with selfsign cert.

I'm not sure what you mean by "client host" in the subject of the message.
If you mean you want to use Windows as the control machine, then it's
easy, that is not supported:
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#control-machine-requirements

If you plan to manage Windows systems, then this is possible:
https://docs.ansible.com/ansible/latest/user_guide/windows.html

Dick

Tharindu Weerakoon

unread,
Dec 11, 2018, 7:38:28 AM12/11/18
to ansible...@googlegroups.com
Hi Dick,

really i need to config windows 2016 machine as ansible client. i want to config my ansible installed cent os machine to communicate win 2016 server. i have seen there are have several ways to config. Im prefer to do it via credssp. Do you have any documentation guide.

Tharindu

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwPYZkK7FLsdBt5GfotN%2BNngVU3FUyfburtuWr1NsFN5Kg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Dick Visser

unread,
Dec 11, 2018, 8:17:02 AM12/11/18
to ansible...@googlegroups.com
On Tue, 11 Dec 2018 at 13:39, Tharindu Weerakoon <thari...@gmail.com> wrote:
>
> Hi Dick,
>
> really i need to config windows 2016 machine as ansible client. i want to config my ansible installed cent os machine to communicate win 2016 server. i have seen there are have several ways to config. Im prefer to do it via credssp. Do you have any documentation guide.

As I said there is no such thing as an "ansible client", this is
called the "control machine".
But, from the parts that I do understand of your message, you want to
manage Windows systems - in which case the same links are still valid.

Dick

Tharindu Weerakoon

unread,
Dec 11, 2018, 8:22:22 AM12/11/18
to ansible...@googlegroups.com
Hi Dick,

Yes you correct. But i failed to config winrm configuration windows 2016 server. Given links are little bit confusing me. Do you can provide step by step document if you have

Tharindu

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

Michael Cruz

unread,
Dec 11, 2018, 9:00:28 AM12/11/18
to Ansible Project
I Just finished going through this and the documentation is pretty good. Definitely read through the links Dick sent.
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html

I recommend reading the script it's from the Ansible site. This will get you a base set up for a lab to get you started. Long Term you will need to do a little more. One thing about CREDSSP is that if you are using it. Even with a certificate only the traffic is covered by the ssl the UserName and Password are sent as clear text. In the Security event log of your Windows Client you will see event ID 4624 with LogonTypeName set to 8 - NetworkClearText.

$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

Unblock-File $env:Temp\ConfigureRemotingForAnsible.ps1
cd $env:temp
.\ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP -DisableBasicAuth -SubjectName "ansible" -CertValidityDays $(365 *2) | out-null

Mike

Jordan Borean

unread,
Dec 11, 2018, 5:39:58 PM12/11/18
to Ansible Project
Even with a certificate only the traffic is covered by the ssl the UserName and Password are sent as clear text

Just thought I should clarify this a bit more, what "clear text" means in this scenario is that the username and password are sent as they are and not as a hash you typically see with NTLM or Kerberos authentication. The actual data is doubly encrypted/wrapped during the authentication process with

* The wrap method of the underlying auth used, either NTLM (RC4) or Kerberos (AES256), then
* TLS encrypted based on the session setup in CredSSP auth

So yes it is inherently more insecure compared to Kerberos, and to an extent NTLM, as the credentials are sent as is but the value is still protected through 2 layers of encryption meaning someone sniffing the network packets won't be able to see it.

Thanks

Jordan
Reply all
Reply to author
Forward
0 new messages