In our previous article, we discussed basic authentication technique i.e. Managing Windows Machines with Ansible. In this article we will see managing windows machine by CredSSP authentication method.
What is CredSSP (Credential Security Support Provider)?
CredSSP authentication is a newer authentication protocol that allows credential delegation. This is achieved by encrypting the username and password after authentication has succeeded and sending that to the server using the CredSSP protocol.
Because the username and password are sent to the server to be used for double hop authentication, ensure that the hosts that the Windows host communicates with are not compromised and are trusted.
CredSSP can be used for both local and domain accounts and also supports message encryption over HTTP.
Prerequisites
Windows Machine :- In order for Ansible to manage your windows machines, you will have to enable and configure PowerShell remoting. For more details, please visit prerequisite section of Managing Windows Machines with Ansible.
CredSSP authentication is not enabled by default on a Windows host, but can be enabled by running the following in PowerShell:
Enable-WSManCredSSP -Role Server -Force
Also it can be enabled by using ps1 script, running the following in PowerShell:
powershell.exe -File ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP
Ansible Control Machine :- On Ansible control machine we need to have python winrm module to be installed and pyOpenSSL python library. Make sure pyOpenSSL >=17.3.0
root@devops$ pip install "pywinrm>=0.2.2"
root@devops$ pip install "pyOpenSSL>=17.3.0"
Configure / Setup
Create /etc/ansible/hosts inventory file, you can add the Windows machines into this file you want to manage.
/etc/ansible/hosts
[windows] dc01.devopstechie.com [windows:vars] ansible_user=administrator@DEVOPSTECHIE.COM ansible_pass=SecretPasswordGoesHere ansible_port=5986 ansible_connection=winrm ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore
Now by using Ansible win_ping module you can test connection/setup is working
[root@ansible devops]# ansible windows -m win_ping
dc01.devopstechie.com | success >> {
"changed": false,
"ping": "pong"
}
Reference: https://docs.ansible.com/ansible/devel/windows_winrm.html#credssp
