Ansible and WinRM in a Workgroup

Introduction

I have started learning Ansible with the help of various blogs and Pluralsight videos. My focus is on using Ansible to configure Windows.

Ansible uses WinRM to connect to Windows servers and I was having some trouble connecting from my CentOS Ansible VM to either Windows 2012 R2 or 2016 that were standalone servers, so Workgroup and not joined to Active Directory.

After too many attempts to get Ansible to connect to the 2012 R2 VM I thought I would document how to get the connection going.

Environment

This has been tested with the following:

  • Ansible 2.7.4 running on CentOS 7. Server is called ansible
  • Target server of Windows Server 2012 R2 fully patched. No configuration changes made to the OS. Server is called control
  • Target server of Windows Server 2016 fully patched. No configuration changes made to the OS. Server is called server2
  • All VMs nested in VMware Workstation 15. NAT on the NIC and Workstation handling DHCP
  • Confirmed I can ping the two Windows servers from CentOS by name

Ansible has been setup with a simple inventory file:

---
[servers]
server1
server2

Then the variables for connecting to the Windows servers:

ansible_user: Administrator
ansible_password: "Password1"
ansible_port: 5985
ansible_connection: winrm

So connect to Windows over WinRM on port 5985 using the username/password of Administrator/Password

Initial Test

To test functionality I am going to use the Ansible module win_ping. As the documentation says this simply checks management connectivity of a windows host.

Running ansible gives the following result:

[ansible@control]$ ansible servers -i inventory.yml -m win_ping
server1 ¦ UNREACHABLE! => {
    "changed": false,
    "msg": "plaintext: the specified credentials were rejected by the server",
    "unreachable": true
}
server2 ¦ UNREACHABLE! => {
    "changed": false,
    "msg": "plaintext: the specified credentials were rejected by the server",
    "unreachable": true
}

So something is wrong here. It’s not the credentials as I know they are correct. It must be some other authentication issue.

The Solution

The root of the problem is that we are sending credentials in plaintext over the unencrypted WinRM port 5985. As this was a lab I just wanted to easily test, so I was willing to do this. Do not do this in production!

The fix is a couple of WinRM configuration changes in the Windows servers. In an elevated command prompt type the following commands:

C:\Windows\system32>winrm set winrm/config/service/auth @{Basic="true"}
Auth
    Basic = true
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Relaxed

C:\Windows\system32>winrm set winrm/config/service @{AllowUnencrypted="true"}
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = true
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true
    ~~~

The first command sets WinRM to Basic Authentication and the second allows unencrypted traffic.

Running Ansible again:

~~~ bash
[ansible@control]$ ansible servers -i inventory.yml -m win_ping
server1 ¦ SUCCESS! => {
    "changed": false,
    "ping": "pong"
}
server2 ¦ SUCCESS! => {
    "changed": false,
    "ping": "pong"
}

We can now access the servers over WinRM.

Wrap Up

As I said above this is not how to run this in production. Normally you would use encrypted traffic to a domain joined server using a proper authentication method such as Kerberos or CredSSP.

In the next post I am going to look at further authentication options for Ansible and WinRM.

Categories:

Updated: