Query on connecting remote windows servers from powershell server via ansible.

[Rajesh N]

Dear All,

        I have an query/issue.

From my windows powershell server i am able to execute powershell scripts on remote windows machines on same domain without asking for password using the domain account.

If i try the same thing via ansible, i get an error. 

Executing just Invoke-command -computer <computer> -ScriptBlock {Get-Service} 

or

New-PSSession -ComputerName <computer>

Enter-PSSession -ComputerName <computer>

Get-Service

Invoke-command -computer <computer> -ScriptBlock {Get-Service}

exit

 

doesn't work. Get error saying "A specified logon session does not \r\nexist. It may already have been terminated"

win_ping and kerberos works fine. I have used the same domain user to connect to the powershell server in windows.yml file.

kindly advise.

Regards,

Rajesh

[J Hawkesworth]

 Hi Rajesh,

You are hitting what is known as the 'second hop' problem.

Ansible -> Windows host A win_ping   (ok only 2 machines involved)

Windows Host A -> invoke command Windows Host B  (ok, again only 2 machines involved)

Ansible -> Windows Host A -> invoke command Windows Host B  (disallowed because of second hop to 3rd machine)

Fortunately since you have a domain set up you can use delegation to allow this.

Just set the following in your windows group vars (needs pywinrm 0.2.0 or later)

ansible_winrm_kerberos_delegation: yes

Hope this ehlps,,

Jon

[Rajesh N]

Hi Jon,

    I had a demo in 4 hours to showcase ansible and your reply below saved my day.

Thank you so much.

Any way to give you points???

Regards,

Rajesh

[Rajat Bhasin]