I ran the winrs command from my laptop and got the following:...

Winrs error:The server certificate on the destination computer 
(quicker1.fyre.ibm.com:5986) has the following errors:
The SSL certificate is signed by an unknown certificate authority.
The SSL certificate contains a common name (CN) that does not match the 
hostname.

Could this be the issue?

I have changed a few things now, the winrm config is now as follows:-
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = false
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = 
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Chris



On Thursday, July 11, 2019 at 9:55:22 PM UTC+1, Jordan Borean wrote:
>
> Then you can only go with what Windows is telling you which is the 
> credentials are incorrect. This could mean that AWX is not passing the 
> credentials properly or there is a typo somewhere. I don't think this is 
> the problem but you could be having issues because the 
> LocalAccountTokenFilterPolicy [1] value is not set to 1. You can use the 
> following PowerShell snippet to set this policy.
>
> $token_path = 
> "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
> $token_prop_name = "LocalAccountTokenFilterPolicy"
> $token_key = Get-Item -Path $token_path
> $token_value = $token_key.GetValue($token_prop_name, $null)
> if ($token_value -ne 1) {
>     Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1"
>     if ($null -ne $token_value) {
>         Remove-ItemProperty -Path $token_path -Name $token_prop_name
>     }
>     New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 
> -PropertyType DWORD > $null
> }
>
>
> What this policy controls is whether Windows will create a limited or full 
> access token from network logons. A limited access token has privileges 
> groups like the BUILTIN\Administrators and special privileges ripped out 
> and will cause an Authorisation failure (not Authentication) because WinRM 
> by default requires the Administrators group. Because the security 
> descriptor on the WinRM listener requires the Administrators group for a 
> user to access it, you need to have the full token.
>
> One other thing you can test is to try and connect to your Windows host 
> from another Windows host using the tools that Microsoft provides. I 
> recommend you run the following winrs command to see if you can connect 
> using the credentials you have;
>
> winrs -r:http://server:5985/wsman -u:Administrator -p:Password 
> hostname.exe
>
> Obviously replace server and the password with whatever is relevant to you.
>
> [1] - 
> https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d69deeb5-573c-4323-ba48-b0b0c9afc986%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to