"msg": "ssl: the specified credentials were rejected by the server"

[Paul Briery]

I'm trying to understand Ansible better in order to use it in my company's production environment.  In order to test and understand I've setup 2 VM's with server 2019 and am using a Windows 2010 system with WSL enabled and Ubuntu 22.04.  There is no domain setup in this configuration and I don't want to set one up.  I do not want to use basic transport so I have created a cert to use.  Basically, I've followed these steps and had success before.  A week ago I decided that I was going to try retracing my steps and see if I could duplicate the results again.  Sadly I have had no such luck.  I get the following error when I try running a straight-up ansible command or using a playbook:

192.168.4.70 | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true
}

Obviously, I'm missing something that I had not before and I'm at my wit's end.  The fixes I've seen posted are to use ntlm/Kerberos or enable basic.  I'm not wanting to do either of these.  I'm not sure about my cert.  In this article it states "If you have more than one local computer account server certificate installed, confirm the Certificate Thumbprint displayed by Winrm enumerate winrm/config/listener is the same Thumbprint on the Details tab of the certificate.".  In the steps I followed I have 2 thumb prints 1 for the server and 1 from the ansible host.

$serverCert
Thumbprint                                Subject                                                                                    
----------                                -------                                                                                    
65F93B914048C98A567C71B1F7831F9873C283DB  CN=WIN-C3EQOG6836M  

$ansibleCert
Thumbprint                                Subject                                                                                    
----------                                -------                                                                                    
65D2499EB375E0B7064596D20AB096E21A184C69  CN=ansible   

From details tab in Cert MMC

Trusted Root Certification Authorities/ansible & Trusted People

65d2499eb375e0b7064596d20ab096e21a184c69

PS C:\Users\Administrator> Winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 192.168.4.70, ::1, fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = WIN-C3EQOG6836M
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 65F93B914048C98A567C71B1F7831F9873C283DB
    ListeningOn = 127.0.0.1, 192.168.4.70, ::1, fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6

Should the thumbprint be the cert for the server or for the ansible user?

Here is my winrm/config:

Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Also my ansible Inventory file:

[windows]
192.168.4.70
192.168.4.71

[windows:vars]
 ansible_user=ansible
 ansible_password=Password1!
 ansible_connection=winrm
 ansible_winrm_server_cert_validation=ignore
 ansible_port=5986

[Paul Briery]

Due to time crunch and that this is just for testing and my own edification, I enabled basic auth and it's working now.  I want to understand better why I wasn't able to leave basic off and rely on the certification.