Encrypted passwords not working, clear text does

[John Harmon]

For my credssp (windows) to work, I need ansible_user and ansible_password set.  I can set these in plain text in a variable, and everything works fine; however, when experimenting with vars_prompt I attempt the same thing and fails when I use encryption.  If I store the password as I do the ad username (clear text), it also works.  This may not even be a vars_prompt issue, but an encryption one.  Wondering if this is a bug or if I am doing something wrong?

Playbook

---
# Testing Windows AD Stuff
- hosts: myworkstation
  gather_facts: false
  vars_prompt:
    - name: ansible_user
      prompt: "ad username?"
      private: no
    - name: ansible_password
      prompt: "ad password?"
      private: yes
      encrypt: "sha512_crypt"
  tasks:
    - debug:
        var: ansible_user

    - debug:
        var: ansible_password

    - name: Jeremy Test
      win_shell: C:\Scripts\ADtest.ps1
      register: test

    - debug:
        var: test
~

Result when encrypted:

# ansible-playbook ./test.yml -i /etc/ansible/inventory/windows
ad username?: myuser
ad password?:

PLAY [myworkstation] *****************************************************************************************************************************************************************************************************************************

TASK [debug] *****************************************************************************************************************************************************************************************************************************
ok: [myworkstation] => {
    "ansible_user": "myuser"
}

TASK [debug] *****************************************************************************************************************************************************************************************************************************
ok: [myworkstation] => {
    "ansible_password": "$6$n3CVi/bAXRADodxN$SKTPxVVzkiY4hmYWKMh5un1f1vAbaWc8KrDenWCLlrny8BDT.AkkI4rmfCn1unC9iugrSd6KFJFXdWRZ91AJm1"
}

TASK [Jeremy Test] ***********************************************************************************************************************************************************************************************************************
fatal: [myworkstation]: UNREACHABLE! => {"changed": false, "msg": "credssp: Server did not response with a CredSSP token after step Step 3. Server Authentication - actual 'Negotiate, Kerberos, CredSSP'", "unreachable": true}


[Jordan Borean]

The encrypt part of prompt is to create an encrypted/hash value of the prompt, as you can see the output is useless and it will be used literally causing the auth to fail. This is useful for modules that work with the hash value of a password like user but is useless for authentication that requires the plaintext value like WinRM.

Thanks

Jordan

[John Harmon]

I see.  That makes sense.  Thank you Jordan.