In our previous article, we discussed basic authentication technique i.e. Managing Windows Machines with Ansible. In this article we will see managing windows machine by CredSSP authentication method.
What is CredSSP (Credential Security Support Provider)?
CredSSP authentication is a newer authentication protocol that allows credential delegation. This is achieved by encrypting the username and password after authentication has succeeded and sending that to the server using the CredSSP protocol.
Because the username and password are sent to the server to be used for double hop authentication, ensure that the hosts that the Windows host communicates with are not compromised and are trusted.
CredSSP can be used for both local and domain accounts and also supports message encryption over HTTP.
Prerequisites
Windows Machine :- In order for Ansible to manage your windows machines, you will have to enable and configure PowerShell remoting. For more details, please visit prerequisite section of Managing Windows Machines with Ansible.
CredSSP authentication is not enabled by default on a Windows host, but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
Also it can be enabled by using ps1 script, running the following in PowerShell:
powershell.exe -File ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP
Ansible Control Machine :- On Ansible control machine we need to have python winrm module to be installed and pyOpenSSL python library. Make sure pyOpenSSL >=17.3.0
root@devops$ pip install "pywinrm>=0.2.2"
root@devops$ pip install "pyOpenSSL>=17.3.0"
Configure / Setup
Create /etc/ansible/hosts inventory file, you can add the Windows machines into this file you want to manage.
/etc/ansible/hosts
[windows] dc01.devopstechie.com [windows:vars] ansible_user=administrator@DEVOPSTECHIE.COM ansible_pass=SecretPasswordGoesHere ansible_port=5986 ansible_connection=winrm ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore
Now by using Ansible win_ping module you can test connection/setup is working
[root@ansible devops]# ansible windows -m win_ping
dc01.devopstechie.com | success >> {
"changed": false,
"ping": "pong"
}
Reference: https://docs.ansible.com/ansible/devel/windows_winrm.html#credssp
Avinash Pawar
DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.
Follow Me:
Hello, Thanks for Notes.
Could you please help on this issue.
When i ran powershell script getting below error.
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: SSL listener is already active.
VERBOSE: Basic auth is already enabled.
VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
Unable to establish an HTTP or HTTPS remoting session.
At D:\ConfigureRemotingForAnsible.ps1:404 char:5
+ Throw “Unable to establish an HTTP or HTTPS remoting session.”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Unable to estab…moting session.:String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to establish an HTTP or HTTPS remoting session.
Can you confirm you have upgraded to powershell 3 or 4 on the machines before running ConfigureRemotingForAnsible.ps1. And also make sure firewall is stopped.