Thanks Serge. I am glad to know I am not the only one experiencing that issue. As you mentioned above, this issue is reproducible over HTTP and HTTPS. I have been able to setup an encrypted connection using HTTPS and a self-signed certificate. However, my issue is with the authentication piece. The hardened AMI does not allow "basic" authentication for WinRM and when I try to use Packer's NTLM option it just doesn't work.
Do you know of a way to contact Packer developers to let them know about the NTLM malformed packet that you found? Thanks again. Andres On Thursday, May 24, 2018 at 11:47:00 AM UTC-4, Serge Nikalaichyk wrote: > > Hello all! > > I'm having the same problem with the hardened Windows Server 2016 AMI that > has Basic authentication explicitly disabled by the Group Policy. > The use of NTLM authentication is the solution and it works fine from > PowerShell and Ansible. > > The Packer's *winrm_use_ntlm* option just doesn't seem to work. The issue > is reproducible over both HTTPS and HTTP. > Wireshark log shows that NTLM packet is malformed. > > There is a similar issue on GitHub: winrm hyperv 401 error #6205 > <https://github.com/hashicorp/packer/issues/6205> > > > > On Thursday, May 10, 2018 at 1:34:33 AM UTC-5, Rickard von Essen wrote: >> >> Just to clearify Packer does speak WinRM over HTTPS. See >> https://www.packer.io/docs/templates/communicator.html#winrm_use_ssl >> >> On Thu, May 10, 2018, 05:22 Jordan Borean <[email protected]> wrote: >> >>> I believe the other issue is that Packer (or whatever libraries Packer >>> uses for WinRM) does not encrypt the WinRM data so anything over http is in >>> plaintext. You can disable the encryption check by running >>> >>> Set-Item -Path WSMan:\localhost\Server\AllowUnencrypted -Value $true >>> >>> This means that Windows will allow connections that do not encrypt the >>> data but I doubt a hardened AMI would allow this change as it is quite >>> insecure. What you really want to do is use a https listener which uses TLS >>> to encrypt the data. This requires further steps as part of your >>> bootstrapping process ot create the self-signed cert and https listener but >>> it can be done. In Ansible land we use >>> https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>> >>> but you will probably need to modify it to work on your AMI. >>> >>> Thanks >>> >>> Jordan >>> >>> -- >>> This mailing list is governed under the HashiCorp Community Guidelines - >>> https://www.hashicorp.com/community-guidelines.html. Behavior in >>> violation of those guidelines may result in your removal from this mailing >>> list. >>> >>> GitHub Issues: https://github.com/mitchellh/packer/issues >>> IRC: #packer-tool on Freenode >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Packer" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/packer-tool/b72debbe-86b4-4cad-b6e3-ea82883b4b70%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/packer-tool/b72debbe-86b4-4cad-b6e3-ea82883b4b70%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/df0a1d4d-12ec-4a21-a431-e92f5df3e9db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
