Ansible: Manage Windows machine with Ansible by CredSSP

Avinash Pawar Ansible, DevOps
  • 22
    Shares

In our previous article, we discussed basic authentication technique i.e. Managing Windows Machines with Ansible. In this article we will see managing windows machine by CredSSP authentication method.

What is CredSSP (Credential Security Support Provider)?

CredSSP authentication is a newer authentication protocol that allows credential delegation. This is achieved by encrypting the username and password after authentication has succeeded and sending that to the server using the CredSSP protocol.

Because the username and password are sent to the server to be used for double hop authentication, ensure that the hosts that the Windows host communicates with are not compromised and are trusted.

CredSSP can be used for both local and domain accounts and also supports message encryption over HTTP.

Prerequisites

Windows Machine :- In order for Ansible to manage your windows machines, you will have to enable and configure PowerShell remoting. For more details, please visit prerequisite section of Managing Windows Machines with Ansible.
CredSSP authentication is not enabled by default on a Windows host, but can be enabled by running the following in PowerShell:

Enable-WSManCredSSP -Role Server -Force

Also it can be enabled by using ps1 script, running the following in PowerShell:

powershell.exe -File ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP


Ansible Control Machine :- On Ansible control machine we need to have python winrm module to be installed and pyOpenSSL python library. Make sure pyOpenSSL >=17.3.0

root@devops$ pip install "pywinrm>=0.2.2"
root@devops$ pip install "pyOpenSSL>=17.3.0"

 

Configure / Setup

Create /etc/ansible/hosts inventory file, you can add the Windows machines into this file you want to manage.
/etc/ansible/hosts

[windows]
dc01.devopstechie.com

[windows:vars]
 ansible_user=administrator@DEVOPSTECHIE.COM
 ansible_pass=SecretPasswordGoesHere
 ansible_port=5986
 ansible_connection=winrm
 ansible_winrm_transport=credssp
 ansible_winrm_server_cert_validation=ignore

 

Now by using Ansible win_ping module you can test connection/setup is working

[root@ansible devops]# ansible windows -m win_ping
dc01.devopstechie.com | success >> {
    "changed": false,
    "ping": "pong"
}

Reference: https://docs.ansible.com/ansible/devel/windows_winrm.html#credssp

Avinash Pawar

An automation enthusiast who presently working as DevOps Engineer.

More Posts - Website

Follow Me:
TwitterFacebookLinkedInGoogle Plus

Related Posts:

Avinash Pawar

An automation enthusiast who presently working as DevOps Engineer.