Linux, Utility

How To: Manage Windows Server 2016 with Ansible

This is the “quick and dirty way” of configuring Windows Server 2016 and Ansible to work together. By no means you should apply this sort of configuration in production due to the security risks of having credentials being sent via plain text over the network. For a lab though it’s perfect! Let’s begin.

I also assume/recommend that the How To: Install Ansible on Red Hat Enterprise Linux 7 (RHEL 7) guide has been followed in preparation for the below instructions.

Step  0 – Confirm you have Ansible installed and working

0.0 To do so we execute “ansible –version

[asecor@labansc]$ ansible --version
ansible 2.1.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

Step 1 – Prepare our directory structure

1.1 In my case I used my /home/asecor location:

[asecor@labansc ~]$ pwd
/home/asecor

1.2 And created a project directory in there and CD into it:

mkdir nokians
cd anstest

Step 2 – Create our config & inventory files

2.1 We’ll first create our inventory.yml file which will contain all of our Windows Servers

nano inventory.yml

2.2 Contents of the inventory.yml should look like this:

[windows]
192.168.178.43

2.3 We make our variables folder & child file which will contain configs/settings for our systems defined in the previously created inventory.yml

mkdir group_vars
nano group_vars/windows.yml

2.4 Contents of windows.yml should look like this:

ansible_user: administrator # A local user account on Windows environments 
ansible_password: Password1 # The password for the Windows user
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

2.5 The final project folder structure & contents within “nokians” should look something like this:

[asecor@labansc]$ tree
.
├── group_vars
│   └── windows.yml
├── inventory.yml

2.6 Now if we are to try and connect to our Windows Server 2016 environment it will not work – should we try and execute a ping

[asecor@labansc nokians]$ ansible windows -i inventory.yml -m win_ping
192.168.178.43 | UNREACHABLE! => {
    "changed": false,
    "msg": "plaintext: the specified credentials were rejected by the server",
    "unreachable": true
}

Let’s fix this in the next step.

Step 3 – Configuring Windows Server 2016 for Ansible

3.1 We need to set the WinRM authentication to Basic:

C:\Windows\system32>winrm set winrm/config/service/auth @{Basic="true"}
Auth
    Basic = true
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Relaxed

3.2 We also need to allow encrypted traffic via WinRM:

C:\Windows\system32>winrm set winrm/config/service @{AllowUnencrypted="true"}
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = true
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

Then when we execute the ping module we should see the following results:

[asecor@labansc nokians]$ ansible windows -i inventory.yml -m win_ping
192.168.178.43 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
twitterredditpinterestlinkedinmail

7 Comments to “How To: Manage Windows Server 2016 with Ansible”

  1. Travis

    THANK YOU.

    I was following a Pluralsight course on Ansible with Windows and doing a similar tutorial. That tutorial left out the necessary steps to configure the windows end to allow unencrypted authentication attempts. Very helpful!

    Reply
  2. Venkatesh M

    Thanks for the article I have tried same approach as mentioned in the post but still I am facing same issue.
    ansible output
    Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
    ESTABLISH WINRM CONNECTION FOR USER: XXXXXXXXXXXXXXXXX on PORT XXXX TO XXXXXXXXXXXXXXXX
    XXXXXXXXXXXX | UNREACHABLE! => {
    “changed”: false,
    “msg”: “plaintext: the specified credentials were rejected by the server”,
    “unreachable”: true
    }

    I have cross checked all configurations in winrm all looks good for me.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *