WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Johar K. Kwan
# ansible -i inventory winoct -m win_ping -vvvvvvv
ansible 2.6.1
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /root/inventory inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<10.10.10.111> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.111
checking if winrm_host 10.10.10.111 is an IPv6 address
<10.10.10.111> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.111:5986/wsman
<10.10.10.111> WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 387, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
InvalidCredentialsError: the specified credentials were rejected by the server
10.10.10.111 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
meanwhile other Windows machine are fine.
# ansible -i inventory sysad -m win_ping -vvvvvvv
ansible 2.6.1
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /root/inventory inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<10.10.10.32> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.32
checking if winrm_host 10.10.10.32 is an IPv6 address
<10.10.10.32> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.32:5986/wsman
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<10.10.10.41> ESTABLISH WINRM CONNECTION FOR USER: test on PORT 5986 TO 10.10.10.41
checking if winrm_host 10.10.10.41 is an IPv6 address
<10.10.10.41> WINRM CONNECT: transport=ssl endpoint=https://10.10.10.41:5986/wsman
<10.10.10.41> WINRM OPEN SHELL: A85A2BD2-9622-4FBF-9F05-DF1832010881
EXEC (via pipeline wrapper)
<10.10.10.41> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
<10.10.10.32> WINRM OPEN SHELL: E38B8407-E794-40AF-99A2-850153CACD80
EXEC (via pipeline wrapper)
<10.10.10.32> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
<10.10.10.32> WINRM RESULT u'<Response code 0, out "{"changed":false,"pi", err "">'
<10.10.10.32> WINRM STDOUT {"changed":false,"ping":"pong"}
<10.10.10.32> WINRM STDERR
<10.10.10.32> WINRM CLOSE SHELL: E38B8407-E794-40AF-99A2-850153CACD80
10.10.10.32 | SUCCESS => {
"changed": false,
"ping": "pong"
}
<10.10.10.41> WINRM RESULT u'<Response code 0, out "{"changed":false,"pi", err "">'
<10.10.10.41> WINRM STDOUT {"changed":false,"ping":"pong"}
<10.10.10.41> WINRM STDERR
<10.10.10.41> WINRM CLOSE SHELL: A85A2BD2-9622-4FBF-9F05-DF1832010881
10.10.10.41 | SUCCESS => {
"changed": false,
"ping": "pong"
}
META: ran handlers
META: ran handlers
winrm get winrm/config ( for 3 of the windows machine are same config )
any help would be much appreciated.
Thank you
Jordan Borean
- The credentials you are using are actually incorrect, or you haven't specified the password in Ansible correctly
- The account is disabled or locked on the Windows host
- If using Basic auth (you are), you need to enable Basic auth on the server, "Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true"
- The account does not have rights to log on through the network, https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network
- The account is not part of the local Administrators group, or if a non admin account you haven't given it permission
- You are using a domain account over Basic auth, use Kerberos (preferably) or NTLM/CredSSP
- You are using Basic auth over HTTP, this is not encrypted and Windows will reject the process (I see this isn't your case as you are running over HTTPS)
- The LocalAccountTokenFilterPolicy is not set to 1 (only for local admin accounts that is not the BUILTIN\Administrator account), https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
Johar K. Kwan
I managed connect using Kerberos instead of using ssl. For ssl connection I think i need to create self signed cert as mention here http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure.