The majority of Windows hosts are working correctly. However, I have a
couple that are giving me an error "FAILED => the username/password
specified for this server was incorrect". The account I'm using to connect
is part of the local administrators group. I have run the pre-script on
these hosts and the WinRM settings appear to be correct. I checked DNS,
there is only one A and PTR record and both are correct.
If I try connecting with PowerShell I see this error:
new-pssession : [<fqdn>] Connecting to remote server <fqdn> failed with the
following error
message : WinRM cannot process the request. The following error with
errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port
does not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS
transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following
command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ new-pssession -computername <fqdn> -sessionoption (new-pssession ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:
RemoteRunspace) [New-PSSession], PSRemotingTransport
Exception
+ FullyQualifiedErrorId : -2144108387,PSSessionOpenFailed
Investigating SPN, I see extra entries for http, probably from IIS needing
kerberos? Doing some searching online I see people added extra SPN entries
for port 5985 and 5986. Then, when connecting using PowerShell used the
-IncludePortInSPN PSSessionOption. This allowed me to connect using
PowerShell. However, I'm still not able to connect from Ansible. What would
be the equivalent fix for Ansible?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ae822ee5-b339-49b3-b805-992af25ea833%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
