[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 500

I ran into this. Upgrading the python modules *pykerberos* and *pywinrm* fixed it for me. On Wednesday, September 29, 2021 at 6:26:23 AM UTC-7 gajendra@gmail.com wrote: > Good evening All > > I am facing a small issue, could you please let me out > > This works if i allow unencrypted is

[ansible-project] Re: Kerberos authentication failed on windows

That's because you are telling it to run on windows_server but have defined the username in the windows group. Based on your inventory 'windows_server' is not part of the 'windows' group so has no username/password defined. The reason why it may have worked before is if you've gotten the

[ansible-project] Re: Kerberos authentication failed on windows

Oh! Here is the reported error: fatal: [test.domain.com]: UNREACHABLE! => {"changed": false, "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)',

[ansible-project] Re: Kerberos authentication failed on windows

You need to share the error you are getting back, right now we cannot tell what is going wrong. On Tuesday, July 28, 2020 at 8:32:50 AM UTC+10 workema...@gmail.com wrote: > Hello, > Kerberos authentication is failing on some servers even after providing > credentials in host file. > > *Host

[ansible-project] Re: "kerberos: HTTPSConnectionPool(host='win-xx.ca.local', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certif

Thanks ! that was it Nice catch ... On Tuesday, June 2, 2020 at 12:49:08 AM UTC-7, Jordan Borean wrote: > > The key you want to use is ‘ansible_winrm_server_cert_validation’, you > were missing the server part >

[ansible-project] Re: kerberos

Kerberos is highly dependent on DNS from working. With Kerberos the client builds an SPN in the format 'HTTP/, in your case that will be 'HTTP/10.50.1.231'. Active directory only creates automatic SPNs using the DNS name of a host, i.e. 'HTTP/hostname.domain.com' so that's the SPN that needs

[ansible-project] Re: kerberos

ok I got kerberos working now. but only via port 5986 why is that? On Friday, May 15, 2020 at 12:58:37 PM UTC-7, Tony Wong wrote: > > trying to get kerberos to work . I got all the libraries and krb5.conf > file setup. I got a ticket from klist but when i do win_ping > > I get errors > > >

[ansible-project] Re: kerberos: the python kerberos library is not installed

After installing the python3-devel package, i was able to install the pykerberos successfully. Now i am able to win_ping using the kerberos credentials. Thanks On Monday, January 27, 2020 at 4:49:28 PM UTC-4, Jordan Borean wrote: > > That's telling you it can't compile the pykerberos library,

[ansible-project] Re: kerberos: the python kerberos library is not installed

That's telling you it can't compile the pykerberos library, it's trying to find headers that are not present. In this case you need the python3-devel package installed with yum/dnf. These headers are different from the Python 2 headers which is why you can install pykerberos in Python 2 and not

[ansible-project] Re: kerberos: the python kerberos library is not installed

Ansible is default to python3 [ansible@NBP-HO7-Ansible01 windows]$ echo $ANSIBLE_PYTHON /usr/bin/python3 And when I do pip list for pip3, kerberos doesnt get listed, its available only for pip 2. I did try to install using pip3 but just getting error as following [ansible@NBP-HO7-Ansible01

[ansible-project] Re: kerberos: the python kerberos library is not installed

Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case we don't really have to worry about that particular library in your pywinrm version. The pykerberos library is still required but it looks like you do have it there. Also you are saying you have both Python 2.7 and 3.6

Re: [ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

I tried with Kerberos I am getting error Msg: Kerberos: requested with method is jerboas, but request- kerbose is not installed I tried to run cmd pip install request-kerberos But firewall restricting Is there any other way Thanks On Mon, Dec 3, 2018 at 12:58 PM Nk Chitturi wrote: > Use

Re: [ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Use Kerbors it works. Sent from my iPhone > On Dec 2, 2018, at 4:27 PM, sateeshaz...@gmail.com wrote: > > hi, > > [webserver] > ssk.ms.com > > [webserver:vars] > ansible_user=windows > ansible_password=PWD > ansible_connection=winrm > ansible_winrm_transport=basic > ansible_winrm_scheme=http

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

hi, [webserver] ssk.ms.com [webserver:vars] ansible_user=windows ansible_password=PWD ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_scheme=http ansible_port=5985 #ansible_winrm_operation_timeout_sec=60 #ansible_winrm_read_timeout_sec=70

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Hi, I am getting following error when i am trying to run a playbook to config a windows machine, Msg: basic: Bad HTTP response returned from server . code 404. actually the error getting at gathering facts: i have given my windows host name On Tuesday, May 2, 2017 at 2:33:36 PM UTC-4, Allen

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Hi, I had a similar issue and you guys were spot on. Removing these lines solved my problem: default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 Thanks. Leo On Saturday, 3 March 2018 06:31:47 UTC+11, matt...@redhat.com

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Yep, the non-default encryption setting is almost certainly the issue. Can you file a bug on https://github.com/02strich/pykerberos? No promises that we'll get to it, but I have a couple ideas as to what might be causing it. I *think* the fix could be pretty simple (there's a code path in there

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Without testing it I believe there may be an issue with the RC4 encryption that is being used. Will have to try it out but that is a pretty old protocol and believed to be broken. While we should still look at fixing it, you should look at adding in one of the AES types on your krb5.conf file

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

I hope I got all: (venv_ansible)[userid@ansiblehost ~/ansible_test]$ pip list ansible (2.4.3.0) asn1crypto (0.24.0) bcrypt (3.1.4) certifi (2018.1.18) cffi (1.11.5) chardet (3.0.4) cryptography (2.1.4) enum34 (1.1.6) idna (2.6) ipaddress (1.0.19) Jinja2 (2.10) MarkupSafe (1.0) ntlm-auth (1.0.6)

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Yes, this means the message encryption done with Kerberos is failing for whatever reason and producing a malformed message. This encryption support was added in pywinrm 0.3.0 and it would be great to find out what may been happening to cause it to fail as it is quite important to use it when

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

It isn't a transient error, it occurs always in this setup with the mentioned module versions. Tested with different windows versions. Everything is working find with your suggestions: ansible_port=5986 and also with ansible_winrm_message_encryption=never So problem solved for me, thank you

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

On a related note: maybe try just tweaking the existing setup to use `ansible_winrm_message_encryption=never` on your Windows host(s) in the inventory or via `-e` to prove if it's related to the new message encryption support. You've clearly been running unencrypted in the past- we'll leave

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Just wondering if this is a transient error? I have occasionally had problems when the windows host is applying windows updates or running ngen to recompile dotnet code following installation of an upgrade to dotnet framework. Jon -- You received this message because you are subscribed to

[ansible-project] Re: kerberos: Bad HTTP response returned from server. Code 400

Are you able to try port 5986 and see if that works. Potentially port 5985 is failing because the encryption process is creating a bad request causing the 400 but it would be good to know if your setup works with HTTPS where WinRM encryption isn't happening. Thanks Jordan -- You received

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

Good that you were able to get it working, I don't know of any incompatibilities with Ubuntu 14.04 that could cause this but I think the issue is that requests_kerberos is failing to import a dependency which is being swallowed. If you wanted to try again you could run python manually and run

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

Hi I've reinstall it on Ubuntu 16.04 and the install was much more straight forward. And it works now! Are you aware of any issue with ubuntu 14.04 or it may be my company build? Thank you! On Sunday, January 7, 2018 at 4:18:59 PM UTC+2, Jeremie Levy wrote: > > I'm trying to connect to my first

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

Hello Jordan So I cleanup my environment, and restart from the begininng. When installing everything according to http://docs.ansible.com/ansible/latest/intro_windows.html (had to install setuptools before cryptography could be installed which is needed by pywinrm) After installing i get this

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

This (or IRC) would be the best place for user help, Github is mostly for bug reports but sometimes you can mix the 2 together. You may need to uninstall the kerberos library, requests-kerberos uses the pykerberos package but they both have the same name which can cause conflicts. Otherwise

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

Hello Jordan, Yes, it was me, I didn't know I should post here (searching for help lead me to the github page multiple times) So i did as you suggested (have to say i tried it before) but i have another error, which confused me even more: ansible windows -m win_ping - ansible 2.4.2.0

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

I believe https://github.com/ansible/ansible/issues/34552 may be from yourself as well, I'll post my response here to go into a bit more detail. By default, the winrm connector inside Ansible uses basic auth as the transport authentication mechanism. You can see this happening as your error

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

resolved the above error by uncommenting the line " 127.0.0.1 localhost " in C:\Windows\System32\drivers\etc\hosts file, then it works On Thursday, May 4, 2017 at 9:06:29 AM UTC-4, Allen Fisher wrote: > > Thanks Jordan and J. > > I switched to the local administrator account. I also re-ran the

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

resolved the above error by uncommenting the line " 127.0.0.1 localhost " in C:\Windows\System32\drivers\etc\hosts file, then it works -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

resolved the above error by uncommenting the line " 127.0.0.1 localhost " in C:\Windows\System32\drivers\etc\hosts file, then it works -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Just got done configuring some Windows hosts with Ansible Tower. - Use port 5986 because AllowUnencrypted=False will prevent 5985 from working (for good reason!) w/ Kerberos - Use a certificate on 5986, I noticed your CertThumbprint is missing - Ensure 5986 firewall port is open - Test

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

I would only allow unencrypted messages for testing and debugging purposes and never in any production capacity due to the security risk when running over HTTP. Useful in this case to see if the HTTP endpoint works but should be turned back off eventually. Some other things to try - use a real

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

allow unencrypted: winrm set winrm/config/service '@{AllowUnencrypted="true"}' On Thursday, May 4, 2017 at 10:38:23 AM UTC-4, Allen Fisher wrote: > > Sure thing: > > PS C:\Users\Administrator> winrm get winrm/config/service >> Service >> RootSDDL = >>

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Sure thing: PS C:\Users\Administrator> winrm get winrm/config/service > Service > RootSDDL = > O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) > MaxConcurrentOperations = 4294967295 > MaxConcurrentOperationsPerUser = 1500 > EnumerationTimeoutms = 24 >

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Can you post the results of "winrm get winrm/config/service" here to show us your WinRM configuration. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[ansible-project] Re: "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server"

Thanks Jordan and J. I switched to the local administrator account. I also re-ran the ConfigureRemotingForAnsible script. Now I get the dreaded "the specified credentials were rejected by the server" error PS C:\Users\afisher\Documents> >

[ansible-project] Re: Kerberos Auth - the specified credentials were rejected by the server

If I recall I've had problems in the past where a machine has moved from one domain to another. You can wind up with an orphaned computer account in active directory in the old domain (IIRC this affected older AD versions). Fix was to remove the Computer account from the old domain. That

[ansible-project] Re: Kerberos Auth - the specified credentials were rejected by the server

I have struggled with this a lot. I have run into the fact that a new windows host, joined to a domain, sometimes needs to be rebooted again in order to have its domain name reflected correctly in its group policies. I have had GPresult /r say another domain name then what is displayed no the

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

Thanks, I have tried NTLM and basic, and they both work fine. However, I am evaluating this for a 2+ node enterprise solution, and Kerberos is a must-have requirement. On Tuesday, April 4, 2017 at 7:37:03 PM UTC-5, Jarryd Took wrote: > > @william: > > The latest requests-ntlm in

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

@william: The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM against Windows machines. If this floats your boat as an alternative to kerberos tickets. ansible_connection: winrm ansible_winrm_transport: ntlm On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

Bingo. I was suspecting some kind of isolation thing, because it was so clear that the environment was different when running a playbook than at the command line, even when sudo'd as awx. Many thanks. I'll never get that week back, but I love a mystery solved. ~Bill On Tue, Apr 4, 2017 at 3:59

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

Tower uses an isolation tech called proot that will often break shared ticket caches. If you can't wait for Ansible 2.3 (should be released within the next couple weeks), I'd suggest disabling proot (IIRC it's in settings.py, but my Tower-fu is getting rusty). On Tuesday, April 4, 2017 at

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

time is definitely good. i run ntpdate in my vagrant provisioning script just to be sure. On Tue, Apr 4, 2017 at 2:20 PM, cupcake wrote: > sanity check; is time in sync? windows AD/kerb wont auth if the skew is > more than 5 or 10 minutes off. I also saw some weirdness

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

sanity check; is time in sync? windows AD/kerb wont auth if the skew is more than 5 or 10 minutes off. I also saw some weirdness like this recently and a reboot and then kinit again made it work but i think due to another config reason on my part. On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4,

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

I think that's what I'm doing. I've tried doing the kinit from the console, doing the kinit in a cron job, doing the kinit manually in a playbook before running the winrm play book, and doing it as a local_action in the winrm playbook itself. In all cases (except the last one), the kinit

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still in release candidate). Anything earlier, you'll have to do the kinit on the controller yourself (either via a cron job or as part of your playbook with a local action). On Monday, April 3, 2017 at 7:27:21 AM UTC-7,

[ansible-project] Re: Kerberos Delegation Issues

Okay. Do you know if it would be possible for paid support from Ansible to assist with troubleshooting? On Monday, October 31, 2016 at 1:04:10 PM UTC-5, Matt Davis wrote: > > Don't know what else to say- works for everyone I know that's tried it, so > I'm suspecting some sort of local

[ansible-project] Re: Kerberos Delegation Issues

Don't know what else to say- works for everyone I know that's tried it, so I'm suspecting some sort of local configuration or installation issue that hasn't been covered yet. On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote: > > Thanks for the response Matt! I did verify we are

[ansible-project] Re: Kerberos Delegation Issues

Thanks for the response Matt! I did verify we are running ansible version 2.1.1.0 user@ansible:~> ansible --version ansible 2.1.1.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides I ran the klist command on the windows host (DC1) that ansible

[ansible-project] Re: Kerberos Delegation Issues

You mentioned you were using ansible 2.1.0 and that you'd switched to group_vars- that version has an inventory bug where any ansible_winrm_X connection vars are ignored if they live in group_vars. Either upgrade to at least 2.1.1, or move them back. Also, try doing a raw: klist on the Windows

[ansible-project] Re: Kerberos Delegation Issues

Apologies for the delayed response... I've been looking for ways to work around this issue, but I hit a roadblock so I really need to figure this out. Below are the logs from the server hosting the network share. Apparently the login was successful, but it was as an anonymous user using NTLM.

[ansible-project] Re: Kerberos Delegation Issues

Have a look in the event logs. I suspect all you will see is 'Access is denied'. Worth looking on the network share machine (if it is an actual windows box). If it isn't a windows box I guess there will be some kind of samba share logging that you could examine too. Make sure that you are

[ansible-project] Re: Kerberos Delegation Issues

JH, Do you know of any other tests/logging I could try/review to determine why the kerberos delegation is not working in my environment? On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote: > > Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible versions. > > >

[ansible-project] Re: Kerberos Delegation Issues

Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible versions. On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote: > > Thanks for the response JH. I've moved the winrm connection details to > group_vars as you suggested, but am still not able to list the files of a

[ansible-project] Re: Kerberos Delegation Issues

Thanks for the response JH. I've moved the winrm connection details to group_vars as you suggested, but am still not able to list the files of a network share. You said you are using "2.0.0.2 / 2.1.1" Can you please clarify those version numbers and what they are associated with? host file:

[ansible-project] Re: Kerberos Delegation Issues

I just got this working a couple of days ago. The only differences I can see between your set up and mine are I set up win connection vars in group vars, rather than host vars (mixed environment - not all my hosts are windows). Might be worth trying to switch to group_vars as at some point I

[ansible-project] Re: kerberos configuration to ping Windows server with Ansible

Great, I'm glad this is working. Setting up kerberos is fiddly but once it's done you probably won't have to touch it again and you can immediately start doing a lot of things with a lot of windows boxes. JOn On Thursday, August 4, 2016 at 10:01:52 AM UTC+1, fanvalt wrote: > > Oh the win_ping

[ansible-project] Re: kerberos configuration to ping Windows server with Ansible

Oh the win_ping command did work, I did replace the IP address in the inventory file with the server name and I did comment in the krb5.conf file all descriptions that were not about EMEAD.COM (so many tests !!!). Thanks a lot, Jon, for your support Regards Le jeudi 4 août 2016 10:27:29

[ansible-project] Re: kerberos configuration to ping Windows server with Ansible

I did correct the krb5.conf file, I did install the requests.kerberos package and rerun the kinit command. The klist command shows the EMEAD.COM domain. But when running the ansible win_ping command, I do receive this new message: ansible windows -i ./win.ini -m win_ping -vv Using

[ansible-project] Re: kerberos configuration to ping Windows server with Ansible

I have only ever used kerberos support with Active Directory servers, not LDAP ones. However, I think from what you have described that your kdc will be fr. ldap-ad.dmsi.corp.com I don't think you need an admin server set up for this purpose ( I don't have one set in my krb5.conf) You may have

[ansible-project] Re: "Kerberos-based authentication was failed. Code 401" - but I've already acquired a valid ticket

Thank you very much for your help. I have already done everything you suggested - I tried to use hostnames instead of IPs, checked 'both way' DNS configuration, used HTTP instead of HTTPS, verified that Kerberos and HTTP are enabled. The Powershell scripts was executed on the remote host as

[ansible-project] Re: "Kerberos-based authentication was failed. Code 401" - but I've already acquired a valid ticket

I'd recommend using the hostname, rather than the ip address of the windows machine you want to connect to in your inventory. Kerberos/Active Directory seems to be intended to work with host and domain names. I would also check that ping yourhost and ping yourhost.mycloud.local return the

[ansible-project] Re: Kerberos Unknown credential cache type

Can you share your /etc/krb5.conf? Is it possible you have KRB5CCNAME environment variable set specifying a non standard location for the kerberos credential cache? I think that would probably cause problems? Not sure if pykerberos expects a particular type of credential cache but fairly