winrm fails after domain join in Azure but is fine in Hyper-V

43 views
Skip to first unread message

Robert Moore

unread,
Sep 11, 2018, 2:14:20 AM9/11/18
to Packer
Hi, i'm running the exact same provisioner script on both the Azure and Hyper-V builders.
After joining the domain the azure script won't reconnect to winrm but the Hyper-V script will.  (both scripts build as the same computer name which already exists in Active Directory - so they are getting identical same group policy)

The Azure builder makes a successful TLS connection to the remote vm in Azure but immediately exits and retries periodically until timeout. I can RDP to this machine ok.

Any ideas on what could be going on? I know the Hyper-v builder uses a winrm_username & winrm_password, whereas the Azure builder just uses a winrm_username and then relies on an Azure key vault. 

Megan Marsh

unread,
Sep 11, 2018, 12:39:03 PM9/11/18
to packe...@googlegroups.com
Can you share your provisioner script and bootstrap scripts?
Message has been deleted

Robert Moore

unread,
Sep 11, 2018, 7:57:12 PM9/11/18
to Packer


sure (I think Travis Kirk posted into the wrong thread?)

Azure:
"builders": [{
        "type": "azure-arm",
        "subscription_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "tenant_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "object_id" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

        "resource_group_name" : "DR-Citrix",
        "storage_account": "xxxxxxxxxx",
        "capture_container_name": "images",
        "capture_name_prefix": "packer",
        "temp_compute_name" : "SDI2016packer",
        "build_resource_group_name" : "Packer-Builds",

        "os_type": "Windows",
        "image_publisher": "MicrosoftWindowsServer",
        "image_offer": "WindowsServer",
        "image_sku": "2016-Datacenter",
    
        "azure_tags": {
          "dept": "IT"
        },
        "winrm_timeout" : "30m",
        "communicator": "winrm",
        "winrm_use_ssl": "true",
        "winrm_insecure": "true",
        "winrm_username": "packer",
 
        "vm_size": "Standard_DS2_v2",
        "virtual_network_name": "YHADRCXZAE-vnet",
        "virtual_network_subnet_name": "YHADRCXZAE-sn-CX",
        "virtual_network_resource_group_name":"DR-Citrix"
    }], 


Hyper-V:
 "builders": [{
        "type": "hyperv-iso",
        "iso_url": "c:\\hyper-v\\SW_DVD9_Win_Server_STD_CORE_2016_64Bit_English_-4_DC_STD_MLF_X21-70526.ISO",
        "iso_checksum": "E3779D4B1574BF711B063FE457B3BA63",
        "iso_checksum_type": "md5",
"generation": 1,
"ram_size": 4096,
        "cpu": 2,
        "disk_size": 131072,
"output_directory": "c:\\packer\\output1_SDI",
"communicator":"winrm",
"winrm_username": "Admin",
"winrm_password": "xxxxxxxxxxxxx",
"winrm_timeout" : "4h",
"winrm_use_ssl": true,
        "winrm_insecure": true,
"shutdown_command": "shutdown /s",
"switch_name":"External",
"floppy_files": [
"Autounattend.xml",
            "..\\common\\config-winrm.ps1"
]
    }],

The autounattend.xml runs the config-winrm which is 
Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private
Add-Content -Value ((get-date).ToLongTimeString() + " configuring winRM") -Path c:\packer_log.txt -Force
cmd.exe /c winrm quickconfig -q
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
write-host "sleeping for a bit"
start-sleep -seconds 30
New-NetFirewallRule -DisplayName "Port 5986" -Protocol TCP -LocalPort 5986 -Action Allow -Profile Private,Domain



Both builders use this provisioner script to join the domain and then do a windows-restart
$domain = "xxxxxxxxxx"
$password = $($env:svc_st_pwd) | ConvertTo-SecureString -asPlainText -Force
$username = "$domain\svc_scheduletask" 
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
write-host 'joining'
Add-Computer -DomainName $domain -Credential $credential
Reply all
Reply to author
Forward
0 new messages