Ansible WinRM Connection 'Connection reset by peer' only when Windows Role ADFS/WAP is Installed and Post Configuration Finished
1,918 views
Skip to first unread message
David Baumann
Jun 21, 2017, 12:29:57 PM6/21/17
to Ansible Project
Hi i got a realy akward Problem with Ansible(devel)
Got Multiple Servers and all works fine with WinRM and Kerberos on Ansible Side until i Install/Configure follow Windows Roles on hosts
- Active Directory Federation Service
Got Multiple Servers and all works fine with WinRM and Kerberos on Ansible Side until i Install/Configure follow Windows Roles on hosts
- Active Directory Federation Service
- WebapplicationProxy
All Servers are based on the Same VM Template
Connection over WinRM first with SSL/Basic Auth for Provisioning then i Switch on the Fly to SSL/Kerberos
Basic ansible_user: username
Kerberos ansible_user: user...@domain.tld
Got always requests.exceptions.ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))
All Servers are based on the Same VM Template
Connection over WinRM first with SSL/Basic Auth for Provisioning then i Switch on the Fly to SSL/Kerberos
Basic ansible_user: username
Kerberos ansible_user: user...@domain.tld
Got always requests.exceptions.ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))
What i found out if i use the FQDN it works both with Basic and Kerberos over SSL on the Server with ADFS/WAP Installed
With an IP Address it only works on Server without ADFS or WAP Installed.
More Details and Debugging Writeout under
Maybe a some of you find out the same with an ADFS / WAP Server and could help me diagnose it
Thanks in advance for you Time
David Baumann(daBONDI@Github)
J Hawkesworth
Jun 23, 2017, 4:05:38 AM6/23/17
to Ansible Project
My guess would be that something about these windows server roles causes some kind of reset or restart of some part of the http stack (which WinRM depends on).
I know kerberos needs DNS to work properly - the hostname is important for kerberos for reasons I forget, but it needs to be able to go from ip -> hostname and hostname -> ip in order to work fully.
Is it difficult for you to make use of the hostname in your environment?
There are modules now for configuring dns resolution (https://docs.ansible.com/ansible/win_dns_client_module.html) and also a module for updating DNS https://docs.ansible.com/ansible/nsupdate_module.html
So you might be able to configure things so you can use hostnames from the start.
Hope this helps,
Jon
I know kerberos needs DNS to work properly - the hostname is important for kerberos for reasons I forget, but it needs to be able to go from ip -> hostname and hostname -> ip in order to work fully.
Is it difficult for you to make use of the hostname in your environment?
There are modules now for configuring dns resolution (https://docs.ansible.com/ansible/win_dns_client_module.html) and also a module for updating DNS https://docs.ansible.com/ansible/nsupdate_module.html
So you might be able to configure things so you can use hostnames from the start.
Hope this helps,
Jon
Trond Hindenes
Jun 24, 2017, 5:32:27 AM6/24/17
to Ansible Project
ADFS/WAP manipulates http.sys, which is the shared process taking care of winRM, IIS and other http-related calls into the host. I've never tested it but it kinda makes sense that there are issues there.
David Baumann
Jun 26, 2017, 10:17:29 PM6/26/17
to Ansible Project
Yeah i know that is based on http.sys
I checked also the http/https binding over netsh and compare them between a working and non working system. Realy no clue why this happening.
I put now 3 Days of work into that debugging, now i switch to ensure the dns records are prefilled priorer theh provisioning of the vms, so the issue don't come up...
So looks like no one is using ADFS with Ansible :-).
But this is not worth anymore time to debug i think...
Dag Wieers
Jun 28, 2017, 4:24:24 AM6/28/17
to Ansible Project
On Sun, 25 Jun 2017, David Baumann wrote:
> Yeah i know that is based on http.sys
>
> I checked also the http/https binding over netsh and compare them between a
> working and non working system. Realy no clue why this happening.
>
> I put now 3 Days of work into that debugging, now i switch to ensure the
> dns records are prefilled priorer theh provisioning of the vms, so the
> issue don't come up...
>
> So looks like no one is using ADFS with Ansible :-).
>
> But this is not worth anymore time to debug i think...
Just a heads-up, we have a Windows Working Group where things like this
> Yeah i know that is based on http.sys
>
> I checked also the http/https binding over netsh and compare them between a
> working and non working system. Realy no clue why this happening.
>
> I put now 3 Days of work into that debugging, now i switch to ensure the
> dns records are prefilled priorer theh provisioning of the vms, so the
> issue don't come up...
>
> So looks like no one is using ADFS with Ansible :-).
>
> But this is not worth anymore time to debug i think...
can be discussed with the devs. Either on the #ansible-windows IRC
channel, or during one of the weekly meetings.
You can find more information at:
https://github.com/ansible/community/tree/master/group-windows
We definitely can use more Windows experts like you in the WWG, as the
interest from the community seems to be growing steadily, as are the open
issues and PR numbers :-)
--
Dag
Reply all
Reply to author
Forward
0 new messages