Unable to authenticate through CredSSP

[Shyam]

Hi all,

Im unable to connect to windows using the credssp authentication issue. Im getting the following error,

x.x.x.x | UNREACHABLE! => {

    "changed": false,

    "msg": "credssp: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f77cc40cfd0>: Failed to establish a new connection: [Errno 111] Connection refused',))",

    "unreachable": true

Inventory file settings,

ansible_user: Administrator

ansible_password: xxxxxx

ansible_port: 5986

ansible_connection: winrm

ansible_winrm_scheme: https

ansible_winrm_transport: credssp

ansible_winrm_server_cert_validation: ignore

Thanks,

Shyam

[Ankit Vashistha]

Is your user a part of admin group?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/77d5bf09-527a-4b2e-b8aa-9297223cff06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Shyam]

Hi Ankit,

   

       Thanks for your reply. The user have all the admin rights. Still Im unable to connect to the remote host. Same error. 

 

[Shyam]

Hi,

Im able to ping with Basic AUTH and NTLM, using the port number  5985. But when Im trying to connect with CredSSP, Im getting the error.

Settings for Basic and NTLM in inventory

==============

ansible_user: Administrator

ansible_password: xxxxxx

ansible_port: 5985

ansible_connection: winrm

ansible_winrm_transport: ntlm

ansible_winrm_server_cert_validation: ignore

=============

x.x.x.x | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

credSSP Inventory file settings

================

ansible_user: Administrator

ansible_password: xxxxxxxx

ansible_port: 5986

ansible_connection: winrm

ansible_winrm_transport: credssp

ansible_winrm_server_cert_validation: ignore

===============

CredSSP AUTH ERROR:

=========================

x.x.x.x | UNREACHABLE! => {

    "changed": false,

    "msg": "credssp: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fae9734dfd0>: Failed to establish a new connection: [Errno 111] Connection refused',))",

    "unreachable": true

}

==========================

Do I need to do any changes at windows host level ? Can any one please help on this ?

Thanks,

Shyam

[Jordan Borean]

You have to make sure CredSSP is enabled in the server roles with 'Enable-WSManCredSSP -Role Server' https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp. This is because CredSSP uses unconstrained delegation and people should be aware of the potential security risks that come with unconstrained delgation.

You can verify what has been enabled or disabled by running 'winrm get winrm/config/service/auth' on your Windows host as well.

Thanks

Jordan

[Shyam U]

Hi Jordan,

Thanks for your replay. Issue got fixed, after enabling 'Enable-WSManCredSSP -Role Server' 

Thanks for your help.

Shyam

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bfeac3d2-5945-442d-a762-c0f4b3be455a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Thanks & Regards

Syam-9533520036