[ansible-project] Re: All works on port 5986, but fails on 5985

Tue, 24 May 2016 03:22:27 -0700 

The Default WinRM (5985) listener uses Kerberos both for authentication and 
encryption (so commands aren't sent in clear-text), it has a hard 
requirement on encryption (can be turned off, but not recommended). PyWinRM 
is not (at this time at least) able to do Kerberos-based encryption (as 
opposed to authentication), which is why we use ssl-based encryption 
instead (on port 5986).

This lets is do what we need securely, while not tearing holes in Windows' 
default WinRM security.



On Tuesday, May 24, 2016 at 11:54:27 AM UTC+2, Alexander Fichel wrote:
>
> What is the point of running the ConfigureRemotingForAnsible.ps1 script if 
> I already have a listener on my windows:
>
> Type            Keys                                Name
> ----            ----                                ----
> Container       {Transport=HTTP, Address=*}         Listener_1084132640
>
> Since script adds a HTTPS listener, I wanted to try and run Ansible 
> playbook using non https port (5985)
>
> I am using ansible 2.0.2.0
>
> This works on port 5986 assuming I run the ConfigureRemotingForAnsible.ps1 
> script
>
> ansible_user: [email protected] <javascript:>
> ansible_port: 5986
> ansible_connection: winrm
> ansible_winrm_server_cert_validation: ignore
>
> But if I change to:
>
> ansible_user: [email protected] <javascript:>
> ansible_port: 5985
> ansible_connection: winrm
>
> I get error:
>
> WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was 
> failed. Code 500
> n2-3wbn-udin41.na.msds.rhi.com | FAILED! => {
>     "failed": true,
>     "msg": "failed to exec cmd PowerShell -NoProfile -NonInteractive 
> -ExecutionPolicy Unrestricted -EncodedCommand 
> U.................................
>
> Does this mean my windows servers are not configured to be authenticated 
> over HTTP?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ef896d6e-3ffa-4600-a40d-1b38a02b22e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to