ssl: the specified credentials were rejected by the server

[Ratheessh AV]

Hi,

I am trying to connect to a windows host using win_ping module. Also enabled Basic and Allowencrypted True on windows hosts as well. But still I am getting the error ""ssl: the specified credentials were rejected by the server" , trying with the local user which is under Adminitsrator Group. And we are able to login to the windows host successfully with the same username and password whatever I am giving in the group_vars/windows.yml.

ansible windows -m win_ping

testvm | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}

[Jordan Borean]

There are multiple reasons why Windows will reject the credentials from Ansible which could be;

• The user is not part of the local administrator group
• As per your post this doesn't seem to be the case
• You are running over http and basic auth doesn't support message encryption
• As per your post you have set Allowunencrypted=true so this shouldn't be the case
• Basic auth is disabled
• Once again it looks like you have enabled it
• You have not configured the LocalAccountTokenFilterPolicy to the value of 1

My bet is the last one, you can find out more info for this at https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows. Also our ConfigureRemotingForAnsible.ps1 https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 handles this for you, make sure you have a  copy of the latest version if you are using this script.

On a side note, you should not be sett Allowunencrypted=true as this opens a big security hole for WinRM and it isn't required for Ansible.

Thanks

Jordan

[Tony Wong]

I am getting same issue. I cannot allow unencrypted winrm as thats set up gpo. 

this is from my windows client

PS C:\scripts> winrm get winrm/config

Config

    MaxEnvelopeSizekb = 500

    MaxTimeoutms = 60000

    MaxBatchItems = 32000

    MaxProviderRequests = 4294967295

    Client

        NetworkDelayms = 5000

        URLPrefix = wsman

        AllowUnencrypted = false [Source="GPO"]

        Auth

            Basic = false [Source="GPO"]

            Digest = false [Source="GPO"]

            Kerberos = true

            Negotiate = true

            Certificate = true

            CredSSP = false [Source="GPO"]

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        TrustedHosts = *

    Service

        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

        MaxConcurrentOperations = 4294967295

        MaxConcurrentOperationsPerUser = 1500

        EnumerationTimeoutms = 240000

        MaxConnections = 300

        MaxPacketRetrievalTimeSeconds = 120

        AllowUnencrypted = false [Source="GPO"]

        Auth

            Basic = false [Source="GPO"]

            Kerberos = true

            Negotiate = true

            Certificate = false

            CredSSP = false [Source="GPO"]

            CbtHardeningLevel = Relaxed

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        IPv4Filter = * [Source="GPO"]

        IPv6Filter = * [Source="GPO"]

        EnableCompatibilityHttpListener = false

        EnableCompatibilityHttpsListener = false

        CertificateThumbprint

        AllowRemoteAccess = true [Source="GPO"]

    Winrs

        AllowRemoteShellAccess = true

        IdleTimeout = 7200000

        MaxConcurrentUsers = 2147483647

        MaxShellRunTime = 2147483647

        MaxProcessesPerShell = 2147483647

        MaxMemoryPerShellMB = 2147483647

        MaxShellsPerUser = 2147483647

[David Foley]

It's best to move to an Agent-Based configuration management Tool Such as SaltStack for Windows if your Machines are been managed by GPO which is preventing Ansible to Connect.

Or else configure everything before the machine joins the Domain

[Jordan Borean]

You WinRM service has been set to reject Basic auth. You need to change the auth to something like kerberos (for domain auth) or ntlm using the ansible_winrm_transport var.

[Tony Wong]

Thanks I changed the auth to ntlm and works now

another question how do I use a domain account instead of a local administrator?

On Sat, Apr 25, 2020 at 3:28 PM Jordan Borean <jbor...@gmail.com> wrote:

You WinRM service has been set to reject Basic auth. You need to change the auth to something like kerberos (for domain auth) or ntlm using the ansible_winrm_transport var.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e04a3c3f-6c8d-4eac-a8dd-75d6ef959fd9%40googlegroups.com.

[Jordan Borean]

Just change the username and password to that domain account. Typically the user is either in the Netlogon 'DOMAIN\user' form or the UPN 'us...@DOMAIN.COM' form. The latter is preferred as it's what is required for Kerberos auth which should be used for domain logons.