Issue running get-aduser in powershell from playbook

[Gregory Machin]

Hi, 

I'm currently testing using AWX as an API to run PowerShell commands via ansible playbooks. 

I'm currently testing using the Get-AD user command as this is close to what I'll be doing. 

I'm using the following Ansible playbook  

- name: Test Extra Variables and PowerShell Command
  hosts: all
  collections:
  tasks:
    - name: Show Extra Variables
      debug:
        msg:
          - "NewUserName: {{ NewUserName }}"
          - "UserManager: {{ UserManager }}"

    - name: Run PowerShell Command with SYSTEM account
      ansible.windows.win_shell: |
        whoami
        Test-NetConnection server.Domain.local -port 9389
        Get-ADDomainController -ForceDiscover -Discover -Service ADWS -NextClosestSite
        Get-ADUser -Identity {{ NewUserName }}        
      register: result

    - name: Show PowerShell Command Result
      debug:
        var: result.stdout_lines

 but get-ADUser errors with : 

Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it
does not have the Active Directory Web Services running.
At line:4 char:1
+ Get-ADUser -Identity bbuilder
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (bbuilder:ADUser) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

but I don't have any issues running Get-ADUser under my account or the service account used for the playbook on the same server. 

the following in the playbook work as expected: 
        Test-NetConnection server.Domain.local -port 9389
        Get-ADDomainController -ForceDiscover -Discover -Service ADWS -NextClosestSite

 It feels like there is something missing PowerShell environment used by Ansible, but I cant see what could cause this.

Please advise.

thank you

G

[jbor...@gmail.com]

This is most likely the double hop problem where the WinRM process on the Windows side is unable to authenticate itself when talking to a downstream server [1]

There are a few ways you can solve this

• Use become on the task [2]
• Use CredSSP as your authentication protocol with WinRM
• Setup Kerberos delegation through either
  
  • Unconstrained delegation
  • Constrained delegation
  • Resource based delegation

Thanks

Jordan

[1] https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3

[2] https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-and-windows

[Gregory Machin]

Hi Jordan, 

Thanks for that, you resolved it. 

for the next person this is what I ended up doing:

    - name: Run PowerShell Command with SYSTEM account

      ansible.windows.win_shell: |

                Get-ADUser -Identity {{ NewUserName }} -properties *

      register: result

      become: yes

      become_method: runas

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/vb4p8HTv7e0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b1e7c4ba-bf43-4fc3-9cab-153c70f5107en%40googlegroups.com.