Windows: kerberos: the specified credentials were rejected by the server

676 views
Skip to first unread message

Subhi Andrews

unread,
Oct 27, 2018, 12:57:11 AM10/27/18
to Ansible Project
I am using the following ansible settings:

ansible_user: 'myuser'
ansible_password: 'mypass'
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_winrm_message_encryption: always
ansible_winrm_kerberos_delegation: true


ansible_user is a domain user - that has administrative rights on all the nodes. 

Then I run win_ping command.

 /usr/local/bin/ansible citrix_ch3 -m win_ping
ctx11 | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: the specified credentials were rejected by the server",
    "unreachable": true
}
ctx12 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
ctx13 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
ctx14 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}


I get unreachable from just one host.  This is the WinRM config on the machine that's unreachable:


PS C:\> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Any suggestions or help on how to potentially debug/resolve this problem?

Thank you all,
Subhi.

Jordan Borean

unread,
Oct 27, 2018, 8:41:47 AM10/27/18
to Ansible Project
Make sure the time is synced between the Ansible host, your Windows host, and finally the domain controller. Kerberos is highly dependent on all this being aligned for the authentication to succeed.

Thanks

Jordan

Reply all
Reply to author
Forward
0 new messages