[ansible-project] Re: "msg": "basic: the specified credentials were rejected by the server" - Please help

[Jordan Borean]

Then you can only go with what Windows is telling you which is the 
credentials are incorrect. This could mean that AWX is not passing the 
credentials properly or there is a typo somewhere. I don't think this is 
the problem but you could be having issues because the 
LocalAccountTokenFilterPolicy [1] value is not set to 1. You can use the 
following PowerShell snippet to set this policy.

$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$token_prop_name = "LocalAccountTokenFilterPolicy"
$token_key = Get-Item -Path $token_path
$token_value = $token_key.GetValue($token_prop_name, $null)
if ($token_value -ne 1) {
    Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1"
    if ($null -ne $token_value) {
        Remove-ItemProperty -Path $token_path -Name $token_prop_name
    }
    New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 
-PropertyType DWORD > $null
}


What this policy controls is whether Windows will create a limited or full 
access token from network logons. A limited access token has privileges 
groups like the BUILTIN\Administrators and special privileges ripped out 
and will cause an Authorisation failure (not Authentication) because WinRM 
by default requires the Administrators group. Because the security 
descriptor on the WinRM listener requires the Administrators group for a 
user to access it, you need to have the full token.

One other thing you can test is to try and connect to your Windows host 
from another Windows host using the tools that Microsoft provides. I 
recommend you run the following winrs command to see if you can connect 
using the credentials you have;

winrs -r:http://server:5985/wsman -u:Administrator -p:Password hostname.exe

Obviously replace server and the password with whatever is relevant to you.

[1] - 
https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/fcc7c99f-6f91-4d69-9657-a1050bc813fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.