Ansible connecting to Windows host using pywinrm module over HTTP

[sameer khan]

Hello, 

I have an issue with connecting to windows host using Kerberos authentication mechanism with winrm over HTTP scheme,

As our windows host have this set to true, Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true

I get this error message     "msg": "kerberos: the specified credentials were rejected by the server",

But when I set that to false on the windows host winrm config Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false it works fine, 

We Don't want it to be unencrypted, 

As the session is not being received on the windows host as encrypted, 

and it is rejecting the credentials passed, 

this is the config I have on my playbook, 

- hosts: all

gather_facts: false

vars:

ansible_user: username

ansible_winrm_port: 5985

ansible_winrm_kinit_mode: managed

ansible_connection: winrm

ansible_winrm_realm:

ansible_winrm_transport: kerberos

ansible_winrm_kinit_cmd: /usr/share/centrifydc/kerberos/bin/kinit

ansible_winrm_scheme: http

ansible_winrm_message_encryption: always

tasks:

- win_ping: 

Output:

Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1

Pipelining is enabled.

<postest19.fastenal.com> ESTABLISH WINRM CONNECTION FOR USER: x...@DOMAIN.COM on PORT 5985 TO postest19.fastenal.com

fatal: [abc.domain.com]: UNREACHABLE! => {

    "changed": false,

    "msg": "kerberos: the specified credentials were rejected by the server",

    "unreachable": true

}

Any help would be appreciated!!

[Jordan Borean]

Setting AllowUnencrypted -Value $true means you are allowing plaintext data to be exchanged, you want it to be AllowUnencrypted -Value $false to make sure encryption is used. Are you getting mixed up with the values here?

[sameer khan]

Thanks for that reply Jordan, 

No, I am not confused in respect to that, 

however, I want to understand what's is the best way possible to encrypt the whole session over the HTTP scheme,

as on the windows side if it's not encrypted it is rejecting the connection by saying the above message error, 

however I got past that issue by using elevated credentials for the windows host, now it complaints about this error,  "msg": "kerberos: Bad HTTP response returned from server. Code 500"

not sure how it is doing a bad request, could you please enlighten on this, 

[Luca 'remix_tj' Lorenzetto]

Hello Sameer,

the winrm over https port is 5986, with a self signed certificate. If
you change port on ansible setting, you'll have the connection
encrypted, if server is enabled to accept ssl connections.

Luca

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe907434-f057-470d-ba36-df81f8a659feo%40googlegroups.com.



--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <lorenze...@gmail.com>