[JIRA] (JENKINS-58856) No Authorization Header for WinRM connection

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff created an issue

Jenkins / JENKINS-58856 No Authorization Header for WinRM connection Issue Type: Bug Assignee: FABRIZIO MANFREDI Components: ec2-plugin Created: 2019-08-08 06:42 Priority: Minor Reporter: Christoph Niehoff I am trying to set up a Jenkins with Windows on-demand slaves. The Windows EC2-Instances are started by the plugin, but the WinRM connection cannot be established. The logs are stuck in a "Waiting for WinRM to come up"-loop. But I can create a WinRM-connection to the instances manually using a python library. When I compare both (the connection attempt by the EC2-Plugin and the connection by the lython tool) I observe the following: the POST-request to /wsman is answered with a 401 by the Windows instance this seems to be the case because the Authorization header is completely missing in the request Is this a bug in the plugin or am I doing something wrong? Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[fabrizio.manfredi@gmail.com (JIRA)]

FABRIZIO MANFREDI commented on JENKINS-58856

Re: No Authorization Header for WinRM connection If you are using the generated admin password from AWS, it is supported only from the 1.45, pay attention that you have to update the IAM role. If the password is pre define in the ami, I need to debug

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

Hi FABRIZIO MANFREDI, thanks for your help! I am using a custom Windows-Server-2012-AMI that I created using packer.  In this I set a custom admin password using `net user Administrator <password>` in the userdata.  For packer (which is using pywinrm) there is no problem to open a WinRM connection to the instance. I am using the plugin version 1.44.1. Is there any other information that you need?   All the best Christoph

Add Comment

[raihaan.shouhell@autodesk.com (JIRA)]

Raihaan Shouhell commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

Do you have basic authentication enabled?

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

Under Configure System > Cloud > Amazon EC2  I entered the Windows Admin Password. I assume that is what you mean by "basic authentication enabled"?

Add Comment

[raihaan.shouhell@autodesk.com (JIRA)]

Raihaan Shouhell commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

The agent's winrm settings

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

As said above, winrm is generally working for the AMI. For Example, using pywinrm I can connect to a running instance with username/password. But it appears that the winrm connection that the EC2 plugin tries to initiate does not work as there is no Authorization Header in the request that goes to the instance.

Add Comment

[raihaan.shouhell@autodesk.com (JIRA)]

Raihaan Shouhell commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

My question is mostly on how it is configured on the agent as depending on authorization schemes it may not work. AFAIK Basic Scheme works with the built in Administrator. I have never tried it with a domain user either so I am unsure if it works.

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

Yes, I use the Administrator as I read that domain users do not work. Using the packer the following powershell script is given to the Instances user_data:  <powershell> write-output "Running User Data Script" write-host "(host) Running User Data Script" Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore net user Administrator {{ user `administrator_password` }} Don't set this before Set-ExecutionPolicy as it throws an error $ErrorActionPreference = "stop" Remove HTTP listener Remove-Item -Path WSMan:\\Localhost\\listener listener* -Recurse $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\\LocalMachine My -DnsName "packer" New-Item -Path WSMan:\\LocalHost Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force WinRM write-output "Setting up WinRM" write-host "(host) setting up WinRM" cmd.exe /c winrm quickconfig -q cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}' cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}' cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}' cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}' cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" cmd.exe /c net stop winrm cmd.exe /c sc config winrm start= auto cmd.exe /c net start winrm </powershell>

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff edited a comment on JENKINS-58856

Re: No Authorization Header for WinRM connection

Yes, I use the Administrator as I read that domain users do not work. Using the packer the following powershell script is given to the Instances user_data:

{quote} <powershell>

write-output "Running User Data Script" write-host "(host) Running User Data Script" Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore net user Administrator \{{ user `administrator_password` }}

# Don't set this before Set-ExecutionPolicy as it throws an error $ErrorActionPreference = "stop" # Remove HTTP listener Remove -Item -Path WSMan:\\Localhost\\listener \\

listener* -Recurse $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\\LocalMachine \\ My -DnsName "packer" New-Item -Path WSMan:\\LocalHost \\ Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM

write-output "Setting up WinRM" write-host "(host) setting up WinRM" cmd.exe /c winrm quickconfig -q cmd.exe /c winrm set "winrm/config" '@\{MaxTimeoutms="1800000"}' cmd.exe /c winrm set "winrm/config/winrs" '@\{MaxMemoryPerShellMB="1024"}' cmd.exe /c winrm set "winrm/config/service" '@\{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/client" '@\{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@\{Basic="true"}' cmd.exe /c winrm set "winrm/config/client/auth" '@\{Basic="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@\{CredSSP="true"}' cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@\{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" cmd.exe /c net stop winrm cmd.exe /c sc config winrm start= auto cmd.exe /c net start winrm </powershell>

{quote}

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

Christoph Niehoff edited a comment on JENKINS-58856

Re: No Authorization Header for WinRM connection

Yes, I use the Administrator as I read that domain users do not work. Using the packer the following powershell script is given to the Instances user_data: {quote} <powershell> write-output "Running User Data Script" write-host "(host) Running User Data Script" Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore net user Administrator \{{ user `administrator_password` }}

$ErrorActionPreference = "stop" Remove-Item -Path WSMan:\\Localhost\\listener

\\ listener* -Recurse $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\\LocalMachine \\ My -DnsName "packer" New-Item -Path WSMan:\\LocalHost \\

Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

write-output "Setting up WinRM" write-host "(host) setting up WinRM" cmd.exe /c winrm quickconfig -q cmd.exe /c winrm set "winrm/config" '@\{MaxTimeoutms="1800000"}' cmd.exe /c winrm set "winrm/config/winrs" '@\{MaxMemoryPerShellMB="1024"}' cmd.exe /c winrm set "winrm/config/service" '@\{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/client" '@\{AllowUnencrypted="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@\{Basic="true"}' cmd.exe /c winrm set "winrm/config/client/auth" '@\{Basic="true"}' cmd.exe /c winrm set "winrm/config/service/auth" '@\{CredSSP="true"}' cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@\{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" cmd.exe /c net stop winrm cmd.exe /c sc config winrm start= auto cmd.exe /c net start winrm </powershell> {quote}

Add Comment

[christoph.niehoff@tngtech.com (JIRA)]

[raihaan.shouhell@autodesk.com (JIRA)]

Raihaan Shouhell commented on JENKINS-58856

Re: No Authorization Header for WinRM connection

For my own I do not have credssp enabled but our user data scripts look identical. My setup does work with that script. Note group policies override anything you attempt to set on the command line.

Add Comment