Kerberos authentication over HTTP failing with Ansible playbook

0
votes

I am building a playbook in Ansible that will add some DNS entries to multiple Windows 2012 R2 domain controllers (DC). When attempting to authenticate over HTTP the DC rejects my credentials.

I have followed the documentation on the Ansible website to configure kerberos on my control machine.

http://docs.ansible.com/ansible/intro_windows.html#active-directory-support

I have also confirmed that I can log into the domain using my credentials:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my-user@<REDACTED>

Valid starting       Expires              Service principal
10/06/2016 09:47:03  10/06/2016 19:47:03  krbtgt/<REDACTED>@<REDACTED>
    renew until 10/07/2016 09:46:59
10/06/2016 09:47:48  10/06/2016 19:47:03  HTTP/phx-dev-mwad01.<REDACTED>@<REDACTED>
    renew until 10/07/2016 09:46:59
10/06/2016 09:54:15  10/06/2016 19:47:03  HTTP/phx-dev-mwad02.<REDACTED>@<REDACTED>
    renew until 10/07/2016 09:46:59
10/06/2016 12:08:28  10/06/2016 19:47:03  HTTP/phx-dev-want01.<REDACTED>@<REDACTED>
    renew until 10/07/2016 09:46:59

I redacted the domain for security purposes.

Here is my config file for winrm:

ansible_user: my-user@<REDACTED>
ansible_password: SomePass
ansible_port: 5985
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore

I am able to connect to the windows servers over port 5986 (HTTPS), however in production the domain controllers are not configured for 5986 so Ansible must be able to establish the connection over port 5985 (HTTP). This requirement will not change in production.

When attempting the connection over 5985 my credentials are rejected;

fatal: [phx-dev-mwad02]: UNREACHABLE! => {"changed": false, "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", "unreachable": true}

WinRM is set to allow remote management:

$winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

Here is a gist to our WinRM configuration:

https://gist.github.com/anonymous/f2baaff517287c535453dbba4ef03b69

And yes, I have confirmed that my credentials are correct.

1
ansiblekerberoswindows-server-2012-r2winrm

1 Answers

3
votes

Look at AllowUnencrypted = false in your winrm server's config. It seems for now python winrm doesn't support message encryption without https. As workaround you can set it to true, which is insecure, so I strongly do not recommend this (cmd):

winrm set winrm/config/service @{AllowUnencrypted="true"}

See HTTP or HTTPS endpoint section of https://pypi.python.org/pypi/pywinrm