I ran the winrs command from my laptop and got the following:...
Winrs error:The server certificate on the destination computer
(quicker1.fyre.ibm.com:5986) has the following errors:
The SSL certificate is signed by an unknown certificate authority.
The SSL certificate contains a common name (CN) that does not match the
hostname.
Could this be the issue?
I have changed a few things now, the winrm config is now as follows:-
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = false
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL =
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Chris
On Thursday, July 11, 2019 at 9:55:22 PM UTC+1, Jordan Borean wrote:
>
> Then you can only go with what Windows is telling you which is the
> credentials are incorrect. This could mean that AWX is not passing the
> credentials properly or there is a typo somewhere. I don't think this is
> the problem but you could be having issues because the
> LocalAccountTokenFilterPolicy [1] value is not set to 1. You can use the
> following PowerShell snippet to set this policy.
>
> $token_path =
> "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
> $token_prop_name = "LocalAccountTokenFilterPolicy"
> $token_key = Get-Item -Path $token_path
> $token_value = $token_key.GetValue($token_prop_name, $null)
> if ($token_value -ne 1) {
> Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1"
> if ($null -ne $token_value) {
> Remove-ItemProperty -Path $token_path -Name $token_prop_name
> }
> New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1
> -PropertyType DWORD > $null
> }
>
>
> What this policy controls is whether Windows will create a limited or full
> access token from network logons. A limited access token has privileges
> groups like the BUILTIN\Administrators and special privileges ripped out
> and will cause an Authorisation failure (not Authentication) because WinRM
> by default requires the Administrators group. Because the security
> descriptor on the WinRM listener requires the Administrators group for a
> user to access it, you need to have the full token.
>
> One other thing you can test is to try and connect to your Windows host
> from another Windows host using the tools that Microsoft provides. I
> recommend you run the following winrs command to see if you can connect
> using the credentials you have;
>
> winrs -r:http://server:5985/wsman -u:Administrator -p:Password
> hostname.exe
>
> Obviously replace server and the password with whatever is relevant to you.
>
> [1] -
> https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
>
> Thanks
>
> Jordan
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/d69deeb5-573c-4323-ba48-b0b0c9afc986%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
