WinRM 401 Invalid Repsonse connecting to Windows 2016 CIS Hardened Image

[Sumit Agarwal]

I am getting the 401 Invalid Response connecting to a Windows 2016 CIS Hardened Image.

I am providing a user_data for the bootup process that works with Chef's test kitchen and connects on HTTP with 

* Basic Auth - set to false

* AllowUnencrypted - set to false

I have even tried creating the https listeners using instructions provided on this page http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure

$c = New-SelfSignedCertificate -DnsName "<IP or host name>" -CertStoreLocation cert:\LocalMachine\My

winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"<IP or host name>`";CertificateThumbprint=`"$($c.ThumbPrint)`"}"

and I still get Invalid Response

Snippet of packer json

    "communicator": "winrm",
    "winrm_username": "Administrator",
    "winrm_use_ntlm": true,
    "winrm_insecure": true,
    "winrm_use_ssl": true,

Any help on how I can debug it will be greatly appreciated.

[Rickard von Essen]

There is a previous thread on a similar topic. https://groups.google.com/d/msgid/packer-tool/04422e65-4c39-47bc-b9e0-f067f5c95e67%40googlegroups.com?utm_medium=email&utm_source=footer

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/bb2174f6-1757-4db3-9225-a7cc80fe52c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sumit Agarwal]

Thanks Richard for pointing me back to the thread, I posted a new one as the title was 2012.

In the end the changes I need to make in the userdata were mentioned on the github ticket and I needed to include the steps for starting the https listener.

Extra entries in addition to userdata that works for chef test kitchen

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -Value 2 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name 'NTLMMinServerSec' -Value 536870912 -Type DWord -Force
$c = New-SelfSignedCertificate -DnsName "$(((gip).IPv4Address).IPAddress)" -CertStoreLocation cert:\LocalMachine\My
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"$(((gip).IPv4Address).IPAddress)`";CertificateThumbprint=`"$($c.ThumbPrint)`"}"

[John Roh]

Hi Sumit or Richard, 
Thanks for started the topic and this is so much frustration on my end that the script worked about 1 month using packer v1.2.3. However, it's failing with the same error message, inRM connection err: http response error: 401 - invalid content type.

I did followed how Serge suggested at the other forum and what Summit suggested. I see that my packer box created the self signed cert based on the aws ec2 private ip addresses. 

I confirmed the Test out the WINRM port 5986 as below.

Test-netconnection << private IP address >> -port 5986

ComputerName     : 10.129.xxx.xxx

RemoteAddress    : 10.129.xxx.xxx

RemotePort       : 5986

InterfaceAlias   : 

SourceAddress    : 

TcpTestSucceeded : True

Or ran the below script to check 

> $ipAddress = '10.129.xxx.xxx'

$password = 'xxxxxxx'

$splatParams = @{

    ComputerName = $ipAddress

    Authentication = 'Negotiate'

    UseSSL = $true

    Port = 5986

    SessionOption = (New-PSSessionOption -SkipCACheck -SkipCNCheck)

    Credential = [PSCredential]::new(

        'Administrator',

        (ConvertTo-SecureString -String $password -AsPlainText -Force)

    )

    ScriptBlock = {$env:COMPUTERNAME}

}

Invoke-Command @splatParams

which returns the packer box machine hostname correctly.

I'm still not able to resolve this issue though....is there anything you can think of? Packer version I'm currently using is v1.2.3 and v1.2.5 and both didn't work.

Also, I have check netstat -an 2 | findstr 5986 that the connection is established and the Administrator user got created from the user data.

As I am writing this message, it built fine but, in my second attempt, I'm back to 401, http response error: 401 - invalid content type, error again.

John.

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/075a2325-dd65-40e6-ad04-789c53eb2b7a%40googlegroups.com.

[John Roh]

Omg, my situation is now resolved after a few days of struggling without knowing what the root cause was. 

Thanks,

John.

[Richard Bolhofer]

Hi,

I'm having a similar issue to you guys when attempting to use the Windows 2016 CIS Benchmark Level 1 AMI.  I get the following error message when using the "windows-restart" provisioner:

Communication connection err: http response error: 401 - invalid content type

Which then eventually times out in Packer.  Interestingly enough, I get this same message when Packer first connects to the instance but then after a retry it succeeds.

Do you guys have any insight or fixes that you've discovered on this?

Thanks!,

Richard

John.

To unsubscribe from this group and stop receiving emails from it, send an email to packe...@googlegroups.com.