Sunday, April 28, 2024
Latest:

DevOps | Scripts | Automation

Ansible

Setting up Windows Hosts for Ansible with CredSSP Authentication – I

Chirag Nagrekar

Ansible is a Python-based vast but lightweight software which provides configuration solution for your Windows OS, Linux OS, Storage, VMware, Networking, and so on. In the previous articles, we have seen how we can install Ansible on the Ubuntu servers. If you have missed out on reading those articles, follow the links below.

https://theautomationcode.com/installing-ansible-on-ubuntu-part-i/

https://theautomationcode.com/ansible-server-installation-on-ubuntu-part-ii/

All the Operating systems, software, or devices that can be configurable via Ansible require some ports and protocol connectivity and needs to configure the same into the Ansible configuration file. For example, Linux servers use the SSH protocol and 22 port.

In this article, we have discussed How we can connect the Ansible with the Windows Servers, what are the software requirements, Ports, protocols, Authentication methods, etc.

Windows Host Configuration Requirement

Ansible to function correctly on the windows servers below are the requirement.

  • PowerShell Version 3.0 and Above
  • .Net Framework version 4.0 or higher
  • WINRM (Windows Remote Management (WS-Management)) Service should be running.
  • Winrm Secure Port 5986 should be opened. (If not we have explained later in this article how to configure it).
  • CredSSP enabled (for this article otherwise we have different authentication methods available)

When we use the Operating systems like Windows Server 2012 or higher, the PowerShell version and .Net Framework versions are sufficient because they ship with the PS version 3.0 or higher and the .Net Framework version 4.0 or higher. If you are using older operating systems like Windows 7 or Windows 2008 then you need to consider upgrading the service packs, the .Net framework version, or the PowerShell version.

Windows Authentication Methods.

To connect to the Windows servers, Ansible provides the authentication methods that are shown below.

Option Basic Certificate Kerberos NTLM CredSSP Local Accounts Yes Yes No Yes Yes Active Directory Accounts No No Yes Yes Yes Credential Delegation No No Yes No Yes HTTP Encryption No No Yes Yes Yes
  • Kerberos, NTLM, and CredSSP are secure ways to encrypt the traffic and the credentials.
  • Basic authentication is the easiest way but the most insecure way for the authentication and it uses the local accounts.
  • The certificate method requires generating the self-signed certificate installed on the computers and works with the local accounts. It requires a bit of work to configure certificates and generally, people avoid this method.
  • NTLM is the older authentication protocol but easy to configure and secure than Basic authentication. It doesn’t support the newer encryption method. It is very slow to authenticate.
  • Kerberos is a secure authentication method and useful in the domain environment. It supports credential delegations and traffic encryption over HTTP.
  • CredSSP is a newer, secure, and widely used authentication protocol. It uses both the local and the domain accounts and also supports encryption over HTTP.
WinRM Configuration Listeners http port 5985 https port 5986 Wit-,RM Authentication Basic Certificate NTLM Kerberos credSSP

CredSSP configuration on the Windows Hosts.

To configure the CredSSP on the Windows hosts, you can either use PowerShell or use the group policy to deploy if you have many servers in the domain. In this article, we will use the script provided by Ansible to configure the CredSSP. We will disable the basic authentication and enable the CredSSP protocol on the Windows hosts.

On the windows server side, run the following script to enable the CredSSP on the windows side.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
Invoke-Webrequest $url -OutFile C:\Temp\AnsibleWinrmConfig.ps1 -Verbose
sleep 2
C:\temp\AnsibleWinrmConfig.ps1  -EnableCredSSP -DisableBasicAuth -Verbose

Output:

PS E: -EnableCredSSP VERBOSE: verifying VERBOSE: ps R.t.ng VERBOSE; Setting Iterpolicy to 1 certifiete generated; 8AEM)0A94SAE110S2A433F6E23X9913E042EEIS VERBOSE: Enabling SSL Ad : http:/ S Chemas . • http: : http;/'schemas . f. or man/l/wsman. • en-us htt . . ng/rOl Referenceparaneters : Re erenceparaneters gas i e auth i s disabled. VERBOSE: Enabling : crosoft. fig/servi Ker b eros Ne got 1 at e Certificate CbtHarder1in*evel Relaxed Adding firm Il rule to • em-us : true : false al 1m wine HTrps. VERBOSE: Enabled I HTTPS: Enabled red f«

You are done with the windows hosts configuration. If you want to run this script for multiple remote servers, use the loop to roll through each server. To confirm if the Winrm secured port 5986 is opened, run the below command on the windows server.


winrm enumerate winrm/config/Listener
PS winrm enumerate winrm/config/Listener Listener 192.168.0.202, .:1, • 192. 168. o. 202%5 Address Transport 5985 Port Hos tname Enabled true URL prefix ws man Certi fi cateThumbpri nt Listeni ngOn 127.0.0.1, Listener Transport HI-rps 5986 Port os name Enabled true URL prefix ws man Certi fi cateThumbpri nt Listeni ngOn 127.0.0.1, fe80 ::5efe. BE5968599974DB77236784FEOB412053646EA3DC 192.168.0.202, fe80:

To check CredSSP, basic authentication and listener, use the below command.

winrm get winrm/config/Service
PS winrm get winrm/config/service Servi ce O: NSG: BAD: P(A; ;GA; ; ; BA) (A; ;GR; ; ; IU)S ROOtSDDL Maxconcurrentoperati ons 4294967295 ; , ; WD) (ALI; SA;GXGW; ; , WD) •F A ; GA • Maxconcurrentoperati ons Peruser Enume rati on Ti meoutms 240000 Maxconnecti ons 300 MaxP acketRetri eval Ti meseconds Al 1 owUnencr ted false Basic = false Kerberos true Negoti ate true Certifi cate false credSSP true ar ennng eve e axe HI-rp HI-rps IPv6Fi 1 ter 5985 5986 Enabl ecompati bi 1 i tyHttpListener Enabl ecompati bi 1 i tyHttpsListener Certi fi cateThumbpri nt Al 1 owRemoteAccess true 1500 120 false false

In the next article, we will install pywinrm and credssp package for ansible.

One thought on “Setting up Windows Hosts for Ansible with CredSSP Authentication – I

Comments are closed.