Power Shell remoting (WinRM trust) not working with Active Directory Kerberos Authentication

38 views
Skip to first unread message

Dinesh Vashisht

unread,
Feb 26, 2018, 10:25:15 AM2/26/18
to Ansible Project
Hi All,

We are using Ansible Version: 2.4.2.0.

Power Shell remoting (WinRM trust) is not working when using Active Directory even after establishing:

Successful Kerberos Authentication:

Default principal: autom...@ITRNETWORK.COM

Valid starting       Expires              Service principal
02/26/2018 09:23:25  02/26/2018 19:23:25  krbtgt/ITRNETW...@ITRNETWORK.COM
        renew until 03/05/2018 09:23:19
[root@calam1 group_vars]#

Following are test results:

[root@calam1 group_vars]# ansible windows-jump-servers -m win_ping
pcijmp1.itrnetwork.com | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true
}

Contents of file /etc/ansible/group_vars/windows-jump-servers.yml:

ansible_user: automation
ansible_password: <my_password>
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
ansible_winrm_server_cert_validation: ignore

It works OK with a local user on the same domain joined Windows server.

Can someone help to verify cause and advice how to resolve this?

Thank you,
Dinesh Vashisht

J Hawkesworth

unread,
Feb 26, 2018, 10:43:12 AM2/26/18
to Ansible Project
try using

ansible_user: automation@ITRNETWORK.COM


as the user name.  Without this ansible will expect 'automation' to be a local user, not a domain user.

Also, if you are wanting to control remote resources (file shares on other machines) via ansible and a windows jump host, its worth setting 


ansible_winrm_kerberos_delegation: yes




... as well.

If you are just getting started with ansible and windows, this page is well worth reading: http://docs.ansible.com/ansible/devel/user_guide/windows_usage.html

Hope this helps,

Jon

Dinesh Vashisht

unread,
Feb 26, 2018, 11:48:22 AM2/26/18
to ansible...@googlegroups.com
Thank you Jon,

Your advice worked:

pcijmp1.itrnetwork.com | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Regards,
Dinesh Vashisht

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/8lcJ_E5q3XE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/aafbdf69-09ca-4e96-b878-cf9101154791%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages