NTLM Auth fails for WinRM

[Jim Heald]

So I am running into a very strange issue. Using ntlm I cannot get any successful authentication through Ansible -- even with the local admin user, which works over SSL.

I have tried following the steps here to no avail. I tried granting my specific user full access, I tried with a user that should be in the Domain Admins group, nothing. Any suggestions?

[Jordan Borean]

Hey

There is a myriad of reasons why this might not work but here is where I would start. Run the following commands in Powershell and paste the info here and we should be able to help a bit more

Write-Host "WinRM Service Settings"
winrm get winrm/config/service


Write-Host "WinRM Listener Info"
winrm enumerate winrm/config/Listener


$listener = Get-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet @{ Transport = "HTTPS"; Address = "*" }
if ($listener) {
    $thumbprint = $listener.CertificateThumbprint
    $certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint }


    if ($certificate) {
        Write-Host "Certificate Metadata"
        Write-Host "Signature Algorithm: $($certificate.SignatureAlgorithm.FriendlyName)"
        Write-Host "Valid To: $($certificate.NotAfter.DateTime)"
    } else {
        Write-Host "Unable to find certificate info for thumbprint: $thumbprint"
    }
}

Other things that would be good to know if the version of your pywinrm and dependencies, are you able to run the below and tell us the version of pywinrm, requests-ntlm and ntlm-auth.

pip list

You can also try and just connecting to your Windows Server directly with Powershell to try and rule out whether it is pywinrm or some host configuration.

Thanks

Jordan

[Jim Heald]

winrm get winrm/config/service

Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

winrm enumerate winrm/config/Listener

Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 129.65.138.91, ::1


Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = RM100B2
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = B33FC6258B1CD23BA3191BD0FCBCC27E530432BC
    ListeningOn = 127.0.0.1, 129.65.138.91, ::1

Write-Host "Signature Algorithm: $($certificate.SignatureAlgorithm.FriendlyName)"
Signature Algorithm: sha1RSA

Write-Host "Valid To: $($certificate.NotAfter.DateTime)"
Valid To: Wednesday, January 03, 2018 4:38:29 AM

From pip list:

requests-ntlm (0.3.0)
pywinrm (0.2.2)
ntlm-auth (1.0.4)

[Jordan Borean]

Thanks for the info from what you have given me there is a chance that your NTLM level is set to NTLMv2 only and the libraries installed on your Ansible host don't support that. You can verify that by running in Powershell

(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name LmCompatibilityLevel).LmCompatibilityLevel

If the value returned is 3 or greater then the Server only supports NTLMv2 with NTLM (https://technet.microsoft.com/en-us/library/cc960646.aspx). There was a big update to requests-ntlm (1.0.0) which changed the dependency from python-ntlm3 to ntlm-auth which supports things like NTLMv2 and other stuff absent from python-ntlm3. If you can update this library and try again I am hoping it will fix your issue.