Cannot connect to WindowsServer from Centos7 ProxyError

[Aleksander Lipka]

Hi 
I am trying to connect to Windows Server 2012 from my ansible server (Centos7).
Let's assume its host is x and port is y 
I managed to connect to other linux based servers but I cannot connect to the windows one. 
I followed the tutorial here: http://docs.ansible.com/ansible/latest/intro_windows.html and after all setups and configurations I get the following error:

root@localhost: ansible# ansible windows -i hosts -m win_ping --ask-vault-pass
Vault password:
WindowsServer | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: HTTPSConnectionPool(host='x', port=y): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))",

This is my group_vars/windows.yml file:

# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml

ansible_user: Administrator
ansible_password: password
ansible_port: y
ansible_connection: winrm

This is my hosts file snippet:

[windows]
WindowsServer ansible_host=x

I did configure windows server with this file: ConfigureRemotingForAnsible.ps1

Please help, I have no idea what to do to make the connection work.

I also asked this question here: https://stackoverflow.com/questions/45716102/ansible-cannot-connect-to-windowsserver-from-centos7

[Mike Fennemore]

A few extra group_vars:
ansible_winrm_server_cert_validation: false and ansible_port should be a port number not y. It should be 5985 or 5986. You could also use ntlm by adding ansible_winrm_transport:ntlm

[Aleksander Lipka]

I know port shouldn't be y, I just assumed in the example that it's y.

Anyway I added ansible_winrm_server_cert_validation: ignore and ansible_winrm_transport: ntlm and still didn't work.

However I tried the second port you mentioned: 5985 (I use 5986 as default) and the playbook stopped at gathering facts for longer than usual and returned a different error:

fatal: [WindowsServer]: UNREACHABLE! => 
{"changed": false, "msg": "ntlm: HTTPConnectionPool(host='161.90.234.10', port=8080): 
Read timed out. (read timeout=30)", "unreachable": true}

The IP and the port that you see in the error is actually the proxy that is set in IE in my WindowsServer2012 R2.

Still the connection was rejected, why?

[J Hawkesworth]

Please can you try exporting

HTTP_PROXY

or

HTTPS_PROXY

environment variables before running ansible?

I *think* this will let ansible (actually requests via pywinrm) know that you are using a proxy.

Hope this helps,

Jon

[Aleksander Lipka]

How do I export them?

When I echo them, I can see:

root@localhost@localdomain: ansible# echo $http_proxy

http://161.90.234.10:8080

root@localhost@localdomain: ansible# echo $https_proxy

https://161.90.234.10:8080

[Mike Klebolt]

Hi Aleksander,

Try adding no_proxy=<server IP> to your ~/.bashrc and reload it.  If you will be working with many windows servers in the future, a more permanent solution that worked for me is the following...

1. Locate transport.py that comes with pywinrm

2. modify the following line session.trust_env to make it false.

125         # configure proxies from HTTP/HTTPS_PROXY envvars

126 #        session.trust_env = True

127         session.trust_env = False

3.  pywinrm will no longer check your local env for a proxy.

[Aleksander Lipka]

Thanks a lot Mike!!

Your suggestion works, 

the .bashrc shortcut didn't work, but then I changed session.trust_env = True to False in transport.py and ansible made the connection.

[J Hawkesworth]

Ah sorry I had misunderstood, so you wanted _not_ to use your http proxy to connect to winrm.

I am wondeing if, instead of modifying pywinrm's transport.py you could get it to work by unsetting

unset HTTP_PROXY

unset HTTPS_PROXY

in your ./bashrc (or before running ansible)?

This might be preferable otherwise you would have to make the change again if pywinrm gets upgraded.

Jon

[Mike Klebolt]

Unsetting it is a possibility or finding where the proxy is getting set in your profile in the first place and removing it from there.  I previously attempted to have a task to unset the proxy during each run but it didn't work.  Turns out ansible uses whatever environment that it initially starts with.  

In my situation, we had multiple users running ansible against windows servers.  That's why I found it best to just change the transport.py.

https://groups.google.com/forum/#!searchin/ansible-project/klebolt%7Csort:relevance/ansible-project/iIsAbZTBubI/duAuT_jKBAAJ