How to connect Ansible to a Windows host via WinRM, with Basic, NTLM or Kerberos authentication

How to connect Ansible to a Windows host via WinRM, with Basic, NTLM or Kerberos authentication

Are you struggeling to get your Ansible WinRM connection working with your windows host? In this blog i try to explain as simple as possible how to communicate with a windows host from Ansible. This via Basic, NTLM and Kerberos authentication over WinRM.

Ansible is a very powerful and simple open source automation platform. Ansible can help you with configuration management, application deployment and task automation. It can also do IT orchestration, where you have to run tasks in sequence and create a chain of events which must happen on several different servers or device.

Ansible is primarily built to communicating with a Linux host via SSH. To communicate with windows we will have to use WinRM. Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.

This blog will include the following sections:

  • Setup test environment
  • Ansible with WinRM Basic Authentication
  • Ansible with WinRM NTLM Authentication
  • Ansible with WinRM Kerberos Authentication

Before we can start you should have a test environment with an ansible server. In my test environment I’m using HashiCorp vagrant and Virtualbox . For the Ansible server we will use Centos 7 and the windows host windows 2016.

Setup Test Environment

 I’ll use the package installer Chocolatey. With Chocolatey you are able to automatically install the applications Vagrant and Virtualbox.

Step 1 : Install the Chocolaty package manager .

Run the commands below from PowerShell. With these commands we will install Chocolaty, Virtualbox and Vagrant.

Note: I’m using virtualbox instead of Hyper-V. This because Vagrant and Virtualbox are working beter together at this moment.

# Download and install Chocolatey
  Set-ExecutionPolicy Bypass -Scope Process -Force; 
  iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
            
  choco upgrade chocolatey
  choco feature enable -n allowGlobalConfirmation

# Install Virtualbox
  Choco install virtualbox

# Install Vagrant
  Choco install Vagrant

# Create folder for your vagrantfile
  mkdir c:\vagrant\testlab

Step 2: create the vagrantfile.

The vagrantfile is a ruby file used to configure vagrant on a per-project basis. The main function of the Vagrantfile is to described the virtual machines required for a project as well as how to configure and provision these machines. The vagrantfile we created  contains the infrastructure as Code configuration for the test environment.

  • Open PowerShell as Administrator
  • Create the folder c:\vagrant\testlab.
    (PowerShell: mkdir c:\vagrant\testlab) .
  • Setup your network in Virtualbox
    Open virtualbox and click on file -> Host Network manager.
    Create the network as below.
  • Run the command cd c:\vagrant\testlabto change the currentlocation of PowerShell to the folder where we want to create the vagrant file in.
  • Run the command vagrant init and the file vagrantfile will be created.
  • Open the vagrant file with a text editor. Remove everything from the vagrant file and replace with the code below.
Vagrant.configure("2") do |config|
  
  #CENTOS SERVER
  config.vm.define "lablin01" do |lablin01|
    lablin01.vm.box      = "centos/7"
    lablin01.vm.hostname = "lablin01"
    lablin01.vm.network "private_network", ip: "192.168.56.30"
    lablin01.vm.provider "virtualbox" do |vb|
      vb.name   = "lablin01"
    end
  end

end
  • Safe the file (without extention)

Step 3 : Create the VM’s

Note : To install the test servers you will need an internet connection for downloading the image from Vagrant.

  • Run the command below to start the installation.
  • Configure the lablin01 server as Ansible control server.
    To install your Ansible control server connect to the lablin01 server over SSH. Run the vagrant command below.
  • Note :if you would like to use ssh via the commandline you will need the public key. You can fin the public key in “..\vagrant\machines\lablin01\virtualbox\private_key.ppk”

Step 4: Install Ansible.

Login to to the labln01 to configure this server as Ansible server. Run the commands below

##############################################
# SETUP/INSTALL ANSIBLE SERVER CENTOS
##############################################

sudo yum -y group install 'Development Tools'
sudo yum -y install epel-release
sudo yum -y update
sudo yum -y install ansible
sudo yum -y install python-pip pip
sudo pip install --upgrade pip

sudo yum -y install python-devel krb5-devel krb5-libs krb5-workstation
sudo yum -y install python-p      
sudo yum -y install bind-utils      
sudo yum -y update

sudo pip install pywinrm[kerberos]
sudo pip install pywinrm
sudo yum -y install tree
sudo yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli

Step 5: Create the folder /home/ansible_demo

Run the commands to create a folder for the ansible files.

Ansible with WinRM Basic Authentication

The simplest way is to use WinRM Basic authentication. It is not secure but for test purposes a good way to test your first communication or to bootstrap your machine.
First we have to create the inventory file inventory_basic.ini. In this file we defined the remote host and the variables for the connection settings

Note : the variables can also be places in the folder group_vars.

The file name for the variables should have the same name as the groupname in your inventoryfile. So in this example create the file group_vars/win_basic.yml and save the settings below to this file

Check the example files on https://gitlab.com/D2CIT/blog_ansible_winrm

  • set location to /home/ansible_demo
  • create in this folder the folder basic
  • set location to /home/anible_demo/basic
  • create in the oflder /home/ansible/basic the file inventory_basic_auth.ini
  • copy the code below to this file.
    • Change in row 2 the name of your server and the ip-adres
    • Change in row 5 the name of your local admin account
    • Change in row 6 the password
[windows]
labwin01 ansible_host=192.168.56.40

[windows:var]
ansible_user                         = localadmin
ansible_password                     = P@ssw0rd12!
ansible_connection                   = winrm
ansible_port                         = 5985
ansible_winrm_transport              = basic
ansible_winrm_server_cert_validation = ignore

Before we can test the WinRM connection with Basic authentication we have to enable 2 settings on the remote windows host. We have to enable AllowUnencrypted and Basic authentication.

I’m using  Powershell to configure these settings in WSMan.

Run the script below on the remote windows host to enable the WSMan settings for AllowUnencrypted and Basic authentication

# Enable WSMan
  Set-WSManQuickConfig

# Set WSMan settings AllowUnencryted to True
  if((get-item WSMan:\localhost\Client\AllowUnencrypted).value -eq $false){
    write-host "[winrm] : set AllowUnencryted to True" -ForegroundColor Yellow
    set-item -Path WSMan:\localhost\Client\AllowUnencrypted -value $true
  }else{
    write-host "[winrm] : AllowUnencryted is True" -ForegroundColor green
  }#EndIf

# Set WSMan settings for Basic Authentication to true
  if((get-item WSMan:\localhost\Client\Auth\Basic).value -eq $false){
    write-host "[winrm] : set Basic Authentication to True" -ForegroundColor Yellow
    set-item -Path WSMan:\localhost\Client\Auth\Basic -value $true
  }else{
    write-host "[winrm] : Basic Authentication is True" -ForegroundColor green
  }#EndIf

We are ready to do the first test. In this test we will ping the remote server via the Ansible module win_ping.

Note : Run Powershell in  elevated modes by running it as administrator.

ansible -i inventory_basic.ini win_basic -m win_ping

Run from the ansible server the command below to test if the server is reachable via the ansible module win_ping. With win_ping you will test the connection and the credentials.

We will see that we have successfully completed the test.

Ansible with WinRM NTLM Authentication

NTLM is a bit more secure than Basic ofcourse. We will use an ssl certificate to encrypt the traffic. The first thing we have to do is create an inventory file inventory_ntlm.ini in. In this file we defined the remote host and the variables for the NTLM connection. The settings are almost the same as for basic authentication. The only difference is that we defined the WinRM port to be 5986 (https) and the authentication method as NTLM.

The remote windows host needs some more configuration. We have to configure settings like Enable WinRM , a listener for port 5986 , firewall ports, create selfsigned certificate etc. On the Ansible site you will find a script that will do the work for you.
See : https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

Download the script. You can use the commands below:

$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file
  • Run the downloaded script on the remote windows host
  • set location to /home/ansible_demo
  • create in this folder the folder ntlm
  • set location to /home/anible_demo/ntlm
  • create in the oflder /home/ansible/basic the file inventory_ntlm_auth.ini
  • copy the code below to this file.
    • Change in row 2 the name of your server and the ip-adres
    • Change in row 5 the name of your local admin account
    • Change in row 6 the password
[windows]
labwin01 ansible_host=192.168.56.40

[windows:var]
ansible_user                         = localadmin
ansible_password                     = P@ssw0rd12!
ansible_connection                   = winrm
ansible_port                         = 5986
ansible_winrm_transport              = ntlm
ansible_winrm_server_cert_validation = ignore
  • Run ansible command to ping remote windows host via NTLM auth.
ansible -i inventory_ntlm.ini win_ntlm -m win_ping

We now see that we have successfully completed the ping via NTLM

Ansible with WinRM Kerberos Authentication

When the remote host is part of a domain, we can use Kerberos. Run on the remote server the same script as described at the NTLM authentication.(See : https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html)
Before we can use Kerberos we have to configure the ansible control server.

Configure : /etc/hosts

Configure : /etc/krb5.conf

Configure : /etc/resolv.conf

  • set location to /home/ansible_demo
  • create in this folder the folder kerberos
  • set location to /home/anible_demo/kerberos
  • create in the oflder /home/ansible/kerberos the file inventory_kerberos_auth.ini
  • copy the code below to this file.
    • Change in row 2 the name of your server (dns name)
    • Change in row 5 the name of your local admin account
    • Change in row 6 the password
[windows]
labwin01.d2cit.it

[windows:var]
ansible_user                         = myusername@d2cit.it
ansible_password                     = P@ssw0rd12!
ansible_connection                   = winrm
ansible_port                         = 5986
ansible_winrm_transport              = kerberos
ansible_winrm_server_cert_validation = ignore
  • run the ansible command below to ping remote windows host via Kerberos.
ansible -i inventory_kerberos.ini win_kerberos -m win_ping

We now see that we have successfully completed the ping via Kerberos.

Examples

Afbeeldingsresultaat voor gitlab icon

: https://gitlab.com/D2CIT/blog_ansible_winrm

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *