Thank you Alvaro, I have used "User Data" to send the WinRM Configuration script, etc. However, the script fails because the GPO that is configured in this Hardened version of Windows does not allow "Basic Authentication" in WinRM to be enabled.
If I use the regular version of Windows 2012, the script works and Packer can connect to the instance. But I have not been able to make it work with this "Hardened" version. I read in the Packer documentation site that it supports Basic Authentication and NTLM Authentication. Have you used NTLM Authentication in the past with Packer? Thanks again. Andres On Monday, May 7, 2018 at 2:24:21 PM UTC-4, Andres Urrutia wrote: > > Hi, > > I am trying to use Packer to build new AMIs using the Windows 2012 CIS > Benchmark (Hardened) image as the Source AMI: > > https://aws.amazon.com/marketplace/pp/B00UVT62LG > > The problem I am facing is that Packer is not able to connect to the EC2 > instance via WinRM once the server is up. The following is the error I get > in the 'packer.log' file that is generated: > > 2018/05/07 18:04:20 packer: 2018/05/07 18:04:20 [ERROR] connection error: > http response error: 401 - invalid content type > 2018/05/07 18:04:20 packer: 2018/05/07 18:04:20 [ERROR] WinRM connection > err: http response error: 401 - invalid content type > > After troubleshooting for many days, I found out that the following GPO > that is automatically enabled by this Hardened AMI is what's causing Packer > to timeout and fail: > > HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowBasic > > The GPO restricts the use of Basic Authentication. If I manually RDP into > the instance and enable that from the Policy Editor, Packer > successfully connects to the instance. > > I read the Packer documentation and there is a way to change the > Authentication mechanism by setting the field "winrm_use_ntlm" to True. I > tried doing that but Packer is still timing out when it tries to connect to > the instance via WinRM. > > Has anybody seen this issue in the past? Is there a way to configure > Packer to connect to this instance using "Non-Basic Authentication" and > without having to manually edit the GPO? > > Thanks for the support! > > Andres > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/908eefb0-b0fb-4dc2-87d3-34b4afa231c9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
