FAILED => the username/password specified for this server was incorrect

1,199 views

Skip to first unread message

Cory Coager

unread,

Sep 14, 2016, 1:52:12 PM9/14/16

to Ansible Project

The majority of Windows hosts are working correctly. However, I have a couple that are giving me an error "FAILED => the username/password specified for this server was incorrect". The account I'm using to connect is part of the local administrators group. I have run the pre-script on these hosts and the WinRM settings appear to be correct. I checked DNS, there is only one A and PTR record and both are correct.

If I try connecting with PowerShell I see this error:

new-pssession : [<fqdn>] Connecting to remote server <fqdn> failed with the following error
message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS
transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ new-pssession -computername <fqdn> -sessionoption (new-pssession ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransport
   Exception
    + FullyQualifiedErrorId : -2144108387,PSSessionOpenFailed

Investigating SPN, I see extra entries for http, probably from IIS needing kerberos? Doing some searching online I see people added extra SPN entries for port 5985 and 5986. Then, when connecting using PowerShell used the -IncludePortInSPN PSSessionOption. This allowed me to connect using PowerShell. However, I'm still not able to connect from Ansible. What would be the equivalent fix for Ansible?

Cory Coager

unread,

Sep 29, 2016, 5:25:41 PM9/29/16

to Ansible Project

I was able to resolve the issue:

kerberos: the specified credentials were rejected by the server, ssl: 401 Unauthorized. #17758

Had to make a change to pywinrm code. You also need to add the following option in your vault or via command line:

ansible_winrm_service: HOST

Reply all

Reply to author

Forward

0 new messages