Fwd: WinRM kerberos- HTTPSConnectionPool

[Laxman Patil]

Hi Team,

I need help to resolve the errors below to communicate with WinRM via Ansible. What will the cause for this error?

server 1-

kerberos: HTTPSConnectionPool(host='10.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3d45abe5d0>; 'Connection to 10.x.x.x. timed out. (connect timeout=30)')) server 2- kerberos: HTTPSConnectionPool(host='192.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: SysCallError(104; 'ECONNRESET')";);)) Note -HTTPS port 5986 is enabled on both servers.

[jbor...@gmail.com]

For the connection timed out either means the server is not listening on that port (5986) or a firewall is in the way.

The bad handshake might mean the server doesn't support a TLS protocol or cipher suite the client supports. On older Windows hosts (pre 2016) there is a limited set of cipher suites that they support and some more modern Linux clients disable these ciphers for security purposes. This is unfortunately a harder problem to solve but using `openssl s_client -connect host:5986` is a good way to test SSL problems outside of Ansible.

Thanks

Jordan

[AdminLP]

Hi Jordan,

Thanks for your response..

We have checked with Network team they are saying that they can see traffic while scanning from Sources server (ansible) to Destination (WinRM )servers over 5986 port.

Here is the default  winrm/config result on win server. 

C:\Windows\system32>winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 1800000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = true
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 2147483647

Pls let us know if any other info.

[Dick Visser]

On Fri, 7 Oct 2022 at 21:29, AdminLP <laxma...@gmail.com> wrote:
>
> Hi Jordan,
> Thanks for your response..
>
> We have checked with Network team they are saying that they can see traffic while scanning from Sources server (ansible) to Destination (WinRM )servers over 5986 port.

I don't know your Network team, and I have no way of telling whether
what they claim is true or not, or even know if their statements are
relevant at all. Please read on.

> Pls let us know if any other info.

The previous reply asked you to use an openssl command to obtain
relevant debugging information about the connection from the ansible
host to the target system.
You did not provide the results of that - so please do that.

[jbor...@gmail.com]

So to verify the host is actually listening run 'winrm e winrm/config/listener' you should see if there is an actual listener for HTTPS/5986. You can also use your favourite command to check if the port is reachable, e.g. 'nc -zvw10 192.168.1.2 5986'. Once you've verified that you can actually connect to the host on that port and that the remote host is listening to it and there's no firewall in the way that blocks it you can move onto getting SSL/TLS working. This is done through 'openssl s_client -connect 192.168.1.2:5986'.

Thanks

Jordan

[AdminLP]

Thanks for Response,

We are unable to do Telnet 5986 from Ansible for below server 1 , might be port is block in security Group.as Ansible servers are in AWS Cloud. 

server 1-

kerberos: HTTPSConnectionPool(host='10.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3d45abe5d0>; 'Connection to 10.x.x.x. timed out. (connect timeout=30)'))

For server 2-   Could you more elaborate on this ? wht need to be done to solve this ?

kerberos: HTTPSConnectionPool(host='192.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: SysCallError(104; 'ECONNRESET')";);))

[Dick Visser]

On Wed, 12 Oct 2022 at 15:03, AdminLP <laxma...@gmail.com> wrote:
>
> Thanks for Response,
>
> We are unable to do Telnet 5986 from Ansible for below server 1 , might be port is block in security Group.as Ansible servers are in AWS Cloud.
> server 1-
> kerberos: HTTPSConnectionPool(host='10.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3d45abe5d0>; 'Connection to 10.x.x.x. timed out. (connect timeout=30)'))

There is your reason that things don't work. Get this working first.
But as you can see below, there might be more bumps on the road.

>
> For server 2- Could you more elaborate on this ? wht need to be done to solve this ?
> kerberos: HTTPSConnectionPool(host='192.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: SysCallError(104; 'ECONNRESET')";);))

As stated by Jordan this can be diagnosed by running an openssl command.

So server1 has a networking problem, and possible an SSL problem
Server1 has no networking problem, but it has an SSL problem.

Maybe it isn't clear, but you first need network connectivity, and
once that works you need a correct SSL setup.
Network problems will mask SSL problems, effectively.

None of this is specific to ansible though.

>
>
>
> On Monday, October 10, 2022 at 12:57:10 AM UTC+5:30 jbor...@gmail.com wrote:
>>
>> So to verify the host is actually listening run 'winrm e winrm/config/listener' you should see if there is an actual listener for HTTPS/5986. You can also use your favourite command to check if the port is reachable, e.g. 'nc -zvw10 192.168.1.2 5986'. Once you've verified that you can actually connect to the host on that port and that the remote host is listening to it and there's no firewall in the way that blocks it you can move onto getting SSL/TLS working. This is done through 'openssl s_client -connect 192.168.1.2:5986'.
>>
>> Thanks
>>
>> Jordan
>>
>> On Saturday, October 8, 2022 at 6:17:35 AM UTC+10 dnmv...@gmail.com wrote:
>>>
>>> On Fri, 7 Oct 2022 at 21:29, AdminLP <laxma...@gmail.com> wrote:
>>> >
>>> > Hi Jordan,
>>> > Thanks for your response..
>>> >
>>> > We have checked with Network team they are saying that they can see traffic while scanning from Sources server (ansible) to Destination (WinRM )servers over 5986 port.
>>>
>>> I don't know your Network team, and I have no way of telling whether
>>> what they claim is true or not, or even know if their statements are
>>> relevant at all. Please read on.
>>>
>>> > Pls let us know if any other info.
>>>
>>> The previous reply asked you to use an openssl command to obtain
>>> relevant debugging information about the connection from the ansible
>>> host to the target system.
>>> You did not provide the results of that - so please do that.
>

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/36831832-6905-4f33-94de-4673ecae2584n%40googlegroups.com.

[AdminLP]

Hello Jordon & dnmv,

Thank again for your help

Whatever you suggested its work, Opened the WInRM port on firewall for servers & Disabled SSL version in Registry, now Ansible successfully communicating to WinRM.

However we still have few servers where getting below errors. (Telenet is working)

Server3-  Timeout error. ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMTransportError Bad HTTP response returned from server. Code 413

Server4 - Times out after one hour. Error: WinRMTransportError Bad HTTP response returned from server. Code 413.

Server5-  Timed out: 192.0.x.x

Pls help ...Thanks in Advance.

Regards

AdminLp

[Dick Visser]

HTTP 413 means Content Too Large:
https://www.rfc-editor.org/rfc/rfc9110.html#name-413-content-too-large

But I don't know enough about the MS ecosystem to fix that

> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/60587c1a-dedd-4ab7-b470-dda9b7568545n%40googlegroups.com.

[AdminLP]

Is there any workaround solutions for 
HTTP 413 means Content Too Large: ?

[AdminLP]

Hello ,

Most of Timedout error servers are windows 2008 , they having 2.0 Power shell version
 Is this cause of Ansible fails to communicate this servers ?

[Wei-Yen Tan]

 Minimum powershell requirement is version 3 for windows.   Powershell version 2 is not compatible

Sent from Outlook for iOS

---

From: ansible...@googlegroups.com <ansible...@googlegroups.com> on behalf of AdminLP <laxma...@gmail.com>
Sent: Thursday, October 27, 2022 11:28:39 PM
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] Re: WinRM kerberos- HTTPSConnectionPool

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/09f9daa6-342d-4c35-af35-0dbf55472e02n%40googlegroups.com.

[AdminLP]

Thanks for confirmation.

Will upgrade power shell version to 3.0 on all windows 2008 servers.

[AdminLP]

 Failed with error: Unhandled Exception: OutOfMemoryException