Something like this will do it: https://social.technet.microsoft.com/wiki/contents/articles/18996.list-all-spns-used-in-your-active-directory.aspx
Oftentimes it's some random piece of software that reassigns a host's HTTP SPNs to do Kerberos in IIS with a custom user account. Normally the HTTP SPN is "implicit", so it shouldn't be assigned anywhere. On Thursday, March 30, 2017 at 10:37:09 AM UTC-7, Michael Eaton wrote: > > Hey. > > How do I check the spn? I've already applied that pull to pywinrm... > > Thanks. > > Michael > > -------- Original message -------- > From: Matt Davis <[email protected]> > Date: 30/03/2017 18:08 (GMT+00:00) > To: Ansible Project <[email protected]> > Subject: Re: [ansible-project] Kerberos Auth - the specified credentials > were rejected by the server > > Is the target host's HTTP SPN assigned to a user (instead of the computer > account) in AD? Pywinrm isn't currently patching the service override > through to the kerb layer (see https://github.com/diyan/pywinrm/pull/144), > so if you're in that situation, you'll have to wait for the next pywinrm > release that includes that bugfix. > > On Thursday, March 30, 2017 at 9:36:50 AM UTC-7, Michael Eaton wrote: >> >> Thanks, >> >> That allowed me to get a bit further: >> >> >> TASK [Gathering Facts] >> ******************************************************************************************************************************************************************************************************************************************************************* >> >> >> Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 >> <appt-001-iom.IOM.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: >> [email protected] on PORT 5986 TO appt-001-iom.IOM.DOMAIN.COM >> creating Kerberos CC at /tmp/tmppm3JWz >> calling kinit for principal [email protected] >> kinit succeeded for principal [email protected] >> <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECT: transport=kerberos endpoint= >> https://appt-001-iom.IOM.DOMAIN.COM:5986/wsman >> <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECTION ERROR: >> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may >> provide more information', 851968), ('Server not found in Kerberos >> database', -1765328377)) >> Traceback (most recent call last): >> File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, >> in _winrm_connect >> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 >> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in >> open_shell >> res = self.send_message(xmltodict.unparse(req)) >> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in >> send_message >> return self.transport.send_message(message) >> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 181, >> in send_message >> prepared_request = self.session.prepare_request(request) >> File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, >> in prepare_request >> hooks=merge_hooks(request.hooks, self.hooks), >> File "/usr/lib/python2.7/site-packages/requests/models.py", line 306, >> in prepare >> self.prepare_auth(auth, url) >> File "/usr/lib/python2.7/site-packages/requests/models.py", line 543, >> in prepare_auth >> r = auth(self) >> File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> line 308, in __call__ >> auth_header = self.generate_request_header(None, host, >> is_preemptive=True) >> File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> line 148, in generate_request_header >> raise KerberosExchangeError("%s failed: %s" % (kerb_stage, >> str(error.args))) >> KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS >> failure. Minor code may provide more information', 851968), ('Server not >> found in Kerberos database', -1765328377)) >> >> fatal: [appt-001-iom.IOM.DOMAIN.COM]: UNREACHABLE! => { >> "changed": false, >> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS >> failure. Minor code may provide more information', 851968), ('Server not >> found in Kerberos database', -1765328377))", >> "unreachable": true >> } >> to retry, use: --limit @/root/ansible-iom/windows.retry >> >> >> As you can see the ticket request succeeds but I still get the error >> about the server not being found. DNS looks good - I can resolve both >> ways,, WinRM config... >> >> >> >> Config >> MaxEnvelopeSizekb = 500 >> MaxTimeoutms = 60000 >> MaxBatchItems = 32000 >> MaxProviderRequests = 4294967295 >> Client >> NetworkDelayms = 5000 >> URLPrefix = wsman >> AllowUnencrypted = false >> Auth >> Basic = true >> Digest = true >> Kerberos = true >> Negotiate = true >> Certificate = true >> CredSSP = false >> DefaultPorts >> HTTP = 5985 >> HTTPS = 5986 >> TrustedHosts >> Service >> RootSDDL = >> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) >> MaxConcurrentOperations = 4294967295 >> MaxConcurrentOperationsPerUser = 1500 >> EnumerationTimeoutms = 240000 >> MaxConnections = 300 >> MaxPacketRetrievalTimeSeconds = 120 >> AllowUnencrypted = true >> Auth >> Basic = true >> Kerberos = true >> Negotiate = true >> Certificate = false >> CredSSP = false >> CbtHardeningLevel = Relaxed >> DefaultPorts >> HTTP = 5985 >> HTTPS = 5986 >> IPv4Filter = * >> IPv6Filter = * >> EnableCompatibilityHttpListener = false >> EnableCompatibilityHttpsListener = false >> CertificateThumbprint >> AllowRemoteAccess = true >> Winrs >> AllowRemoteShellAccess = true >> IdleTimeout = 7200000 >> MaxConcurrentUsers = 2147483647 >> MaxShellRunTime = 2147483647 >> MaxProcessesPerShell = 2147483647 >> MaxMemoryPerShellMB = 2147483647 >> MaxShellsPerUser = 2147483647 >> >> >> >> Let me know if you need anything further - any ideas? >> >> Best Regards, >> >> Michael Eaton | DevOps Engineer >> >> >> >> T: +44 (0) 203 4688271 | M: +44 (0) 7624 267 407 >> E: [email protected] >> W: www.iforium.com >> >> >> >> >> >> >> >> Twitter | Facebook | Linkedin >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Jordan Borean >> Sent: 29 March 2017 21:56 >> To: Ansible Project <[email protected]> >> Subject: [ansible-project] Kerberos Auth - the specified credentials were >> rejected by the server >> >> Are you able to set ansible_winrm_transport to Kerberos and see if that >> works out. I also believe in 2.4 there was a change made where ansible will >> get the Kerberos ticket for you removing the need for getting it manually >> beforehand. Another thing that would be good to know is the output of >> 'winrm get winrm/config' when running on your windows server. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/ORVozS2Nwqk/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/3a2fe4e4-91ff-4080-b328-795a1b3cb53c%40googlegroups.com. >> >> >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/ORVozS2Nwqk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/144f3e78-ab94-407c-8e19-080f18ccd8ee%40googlegroups.com > > <https://groups.google.com/d/msgid/ansible-project/144f3e78-ab94-407c-8e19-080f18ccd8ee%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/42d42ccf-bc8f-4097-9686-d3afb618cb78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
