Ansible: Manage Windows machine with Ansible by CredSSP

  • 22
    Shares

In our previous article, we discussed basic authentication technique i.e. Managing Windows Machines with Ansible. In this article we will see managing windows machine by CredSSP authentication method.

What is CredSSP (Credential Security Support Provider)?

CredSSP authentication is a newer authentication protocol that allows credential delegation. This is achieved by encrypting the username and password after authentication has succeeded and sending that to the server using the CredSSP protocol.

Because the username and password are sent to the server to be used for double hop authentication, ensure that the hosts that the Windows host communicates with are not compromised and are trusted.

CredSSP can be used for both local and domain accounts and also supports message encryption over HTTP.

Prerequisites

Windows Machine :- In order for Ansible to manage your windows machines, you will have to enable and configure PowerShell remoting. For more details, please visit prerequisite section of Managing Windows Machines with Ansible.
CredSSP authentication is not enabled by default on a Windows host, but can be enabled by running the following in PowerShell:

Enable-WSManCredSSP -Role Server -Force

Also it can be enabled by using ps1 script, running the following in PowerShell:

powershell.exe -File ConfigureRemotingForAnsible.ps1 -Verbose -EnableCredSSP


Ansible Control Machine :-
 On Ansible control machine we need to have python winrm module to be installed and pyOpenSSL python library. Make sure pyOpenSSL >=17.3.0

root@devops$ pip install "pywinrm>=0.2.2"
root@devops$ pip install "pyOpenSSL>=17.3.0"

 

Configure / Setup

Create /etc/ansible/hosts inventory file, you can add the Windows machines into this file you want to manage.
/etc/ansible/hosts

[windows]
dc01.devopstechie.com

[windows:vars]
 ansible_user=administrator@DEVOPSTECHIE.COM
 ansible_pass=SecretPasswordGoesHere
 ansible_port=5986
 ansible_connection=winrm
 ansible_winrm_transport=credssp
 ansible_winrm_server_cert_validation=ignore

 

Now by using Ansible win_ping module you can test connection/setup is working

[root@ansible devops]# ansible windows -m win_ping
dc01.devopstechie.com | success >> {
    "changed": false,
    "ping": "pong"
}

Reference: https://docs.ansible.com/ansible/devel/windows_winrm.html#credssp

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

More Posts - Website

Follow Me:
TwitterFacebookLinkedInGoogle Plus

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

2 thoughts to “Ansible: Manage Windows machine with Ansible by CredSSP”

  1. Hello, Thanks for Notes.
    Could you please help on this issue.
    When i ran powershell script getting below error.

    VERBOSE: Verifying WinRM service.
    VERBOSE: PS Remoting is already enabled.
    VERBOSE: SSL listener is already active.
    VERBOSE: Basic auth is already enabled.
    VERBOSE: Firewall rule already exists to allow WinRM HTTPS.
    Unable to establish an HTTP or HTTPS remoting session.
    At D:\ConfigureRemotingForAnsible.ps1:404 char:5
    + Throw “Unable to establish an HTTP or HTTPS remoting session.”
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (Unable to estab…moting session.:String) [], RuntimeException
    + FullyQualifiedErrorId : Unable to establish an HTTP or HTTPS remoting session.

Leave a Reply