AnsibleAWX && WINRM returns "certificate: the specified credentials were rejected by the server"

[Robert Rozek]

I have setup Windows remote management as per guidelines from below for the certificate:

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#certificate 

So what I have done. 

1. Enabled WINRM using the enableremote.....ps scirpt

2. enabled certificate use using "Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $true" 

3. Generated Certificate from AnsibleAWX using OpenSSL  using step from link above

4. copied over .pem an key.pem files from ansible to windows host

5. Imported .pem file to both locations Trusted root and Trusted people of local machine.

6. Mapped cert to account using windows creds. 

My playbook looks like so: 

---

 - hosts: 
     - all
   gather_facts: no
   vars:
     ansible_port: 5986
     #ansible_user: support
     ansible_connection: winrm
     ansible_winrm_transport: certificate
     ansible_winrm_cert_pem: /opt/cust-env/windows/windowscert.pem
     ansible_winrm_cert_key_pem: /opt/cust-env/windows/windowscert_key.pem
     ansible_winrm_server_cert_validation: ignore
   tasks:
    - name: ping
      win_ping:

WinRM config: 

Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

And lastly the error I am getting when running the play. 

<10.113.7.55> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5986 TO 10.113.7.55
22
fatal: [10.113.7.55]: UNREACHABLE! => {
23
    "changed": false, 
24
    "msg": "certificate: the specified credentials were rejected by the server", 
25
    "unreachable": true
26
}
27
28
PLAY RECAP *********************************************************************
17:03:47
29
10.113.7.55                : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Any help/advice would be appriciated. I am very desparate and spent some time on this already. 

Regards

[Robert Rozek]

bump

[Jordan Borean]

Does it work outside of AWX just through the CLI?

[Robert Rozek]

I'm sorry I don't really know how to test this through CLI.
This is a prodction AWX server so don't want to mess this up. 

[Jordan Borean]

On another Linux host (or Docker container) install Ansible with pywinrm as you would normally and test out your inventory like 'ansible-playbook main.yml'. AWX/Tower runs with something called bubblewrap which makes accessing files on the controller a bit more difficult.Checking to see if the error exists in AWX only or also the CLI helps you to narrow down where the issue may be.

Failing that you can look at the Security event logs on the Windows host to try and identify why Windows is rejecting the cert.