Due to time crunch and that this is just for testing and my own edification, I enabled basic auth and it's working now. I want to understand better why I wasn't able to leave basic off and rely on the certification.
On Tuesday, September 13, 2022 at 3:05:49 PM UTC-5 Paul Briery wrote: > I'm trying to understand Ansible better in order to use it in my company's > production environment. In order to test and understand I've setup 2 VM's > with server 2019 and am using a Windows 2010 system with WSL enabled and > Ubuntu 22.04. There is no domain setup in this configuration and I don't > want to set one up. I do not want to use basic transport so I have created > a cert to use. Basically, I've followed these steps > <https://adamtheautomator.com/winrm-for-ansible/> and had success > before. A week ago I decided that I was going to try retracing my steps > and see if I could duplicate the results again. Sadly I have had no such > luck. I get the following error when I try running a straight-up ansible > command or using a playbook: > 192.168.4.70 | UNREACHABLE! => { > "changed": false, > "msg": "ssl: the specified credentials were rejected by the server", > "unreachable": true > } > Obviously, I'm missing something that I had not before and I'm at my wit's > end. The fixes I've seen posted are to use ntlm/Kerberos or enable basic. > I'm not wanting to do either of these. I'm not sure about my cert. In > this article > <https://docs.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https> > it > states "If you have more than one local computer account server certificate > installed, confirm the Certificate Thumbprint displayed by Winrm enumerate > winrm/config/listener is the same Thumbprint on the *Details* tab of the > certificate.". In the steps I followed I have 2 thumb prints 1 for the > server and 1 from the ansible host. > > > > $serverCert > Thumbprint Subject > > ---------- ------- > > 65F93B914048C98A567C71B1F7831F9873C283DB CN=WIN-C3EQOG6836M > > $ansibleCert > Thumbprint Subject > > ---------- ------- > > 65D2499EB375E0B7064596D20AB096E21A184C69 CN=ansible > > From details tab in Cert MMC > Trusted Root Certification Authorities/ansible & Trusted People > 65d2499eb375e0b7064596d20ab096e21a184c69 > > PS C:\Users\Administrator> Winrm enumerate winrm/config/listener > Listener > Address = * > Transport = HTTP > Port = 5985 > Hostname > Enabled = true > URLPrefix = wsman > CertificateThumbprint > ListeningOn = 127.0.0.1, 192.168.4.70, ::1, > fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6 > > Listener > Address = * > Transport = HTTPS > Port = 5986 > Hostname = WIN-C3EQOG6836M > Enabled = true > URLPrefix = wsman > CertificateThumbprint = 65F93B914048C98A567C71B1F7831F9873C283DB > ListeningOn = 127.0.0.1, 192.168.4.70, ::1, > fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6 > > Should the thumbprint be the cert for the server or for the ansible user? > > Here is my winrm/config: > Config > MaxEnvelopeSizekb = 500 > MaxTimeoutms = 60000 > MaxBatchItems = 32000 > MaxProviderRequests = 4294967295 > Client > NetworkDelayms = 5000 > URLPrefix = wsman > AllowUnencrypted = false > Auth > Basic = true > Digest = true > Kerberos = true > Negotiate = true > Certificate = true > CredSSP = false > DefaultPorts > HTTP = 5985 > HTTPS = 5986 > TrustedHosts > Service > RootSDDL = > O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) > MaxConcurrentOperations = 4294967295 > MaxConcurrentOperationsPerUser = 1500 > EnumerationTimeoutms = 240000 > MaxConnections = 300 > MaxPacketRetrievalTimeSeconds = 120 > AllowUnencrypted = false > Auth > Basic = false > Kerberos = true > Negotiate = true > Certificate = true > CredSSP = false > CbtHardeningLevel = Relaxed > DefaultPorts > HTTP = 5985 > HTTPS = 5986 > IPv4Filter = * > IPv6Filter = * > EnableCompatibilityHttpListener = false > EnableCompatibilityHttpsListener = false > CertificateThumbprint > AllowRemoteAccess = true > Winrs > AllowRemoteShellAccess = true > IdleTimeout = 7200000 > MaxConcurrentUsers = 2147483647 <(214)%20748-3647> > MaxShellRunTime = 2147483647 <(214)%20748-3647> > MaxProcessesPerShell = 2147483647 <(214)%20748-3647> > MaxMemoryPerShellMB = 2147483647 <(214)%20748-3647> > MaxShellsPerUser = 2147483647 <(214)%20748-3647> > > Also my ansible Inventory file: > [windows] > 192.168.4.70 > 192.168.4.71 > > [windows:vars] > ansible_user=ansible > ansible_password=Password1! > ansible_connection=winrm > ansible_winrm_server_cert_validation=ignore > ansible_port=5986 > > > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a56cb8c0-b2be-4455-9778-305a4d6b8c6en%40googlegroups.com.
