This is the “quick and dirty way” of configuring Windows Server 2016 and Ansible to work together. By no means you should apply this sort of configuration in production due to the security risks of having credentials being sent via plain text over the network. For a lab though it’s perfect! Let’s begin.
I also assume/recommend that the How To: Install Ansible on Red Hat Enterprise Linux 7 (RHEL 7) guide has been followed in preparation for the below instructions.
Step 0 – Confirm you have Ansible installed and working
0.0 To do so we execute “ansible –version”
[asecor@labansc]$ ansible --version ansible 2.1.2.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides
Step 1 – Prepare our directory structure
1.1 In my case I used my /home/asecor location:
[asecor@labansc ~]$ pwd /home/asecor
1.2 And created a project directory in there and CD into it:
mkdir nokians cd anstest
Step 2 – Create our config & inventory files
2.1 We’ll first create our inventory.yml file which will contain all of our Windows Servers
nano inventory.yml
2.2 Contents of the inventory.yml should look like this:
[windows] 192.168.178.43
2.3 We make our variables folder & child file which will contain configs/settings for our systems defined in the previously created inventory.yml
mkdir group_vars nano group_vars/windows.yml
2.4 Contents of windows.yml should look like this:
ansible_user: administrator # A local user account on Windows environments ansible_password: Password1 # The password for the Windows user ansible_port: 5985 ansible_connection: winrm ansible_winrm_server_cert_validation: ignore
2.5 The final project folder structure & contents within “nokians” should look something like this:
[asecor@labansc]$ tree . ├── group_vars │ └── windows.yml ├── inventory.yml
2.6 Now if we are to try and connect to our Windows Server 2016 environment it will not work – should we try and execute a ping
[asecor@labansc nokians]$ ansible windows -i inventory.yml -m win_ping 192.168.178.43 | UNREACHABLE! => { "changed": false, "msg": "plaintext: the specified credentials were rejected by the server", "unreachable": true }
Let’s fix this in the next step.
Step 3 – Configuring Windows Server 2016 for Ansible
3.1 We need to set the WinRM authentication to Basic:
C:\Windows\system32>winrm set winrm/config/service/auth @{Basic="true"} Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed
3.2 We also need to allow encrypted traffic via WinRM:
C:\Windows\system32>winrm set winrm/config/service @{AllowUnencrypted="true"} Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true
Then when we execute the ping module we should see the following results:
[asecor@labansc nokians]$ ansible windows -i inventory.yml -m win_ping 192.168.178.43 | SUCCESS => { "changed": false, "ping": "pong" }





THANK YOU.
I was following a Pluralsight course on Ansible with Windows and doing a similar tutorial. That tutorial left out the necessary steps to configure the windows end to allow unencrypted authentication attempts. Very helpful!
I’m glad this helped you. I too followed it and faced the same challenges!
Remark: @{AllowUnencrypted=”true”} doesn’t work, need add single quotes ‘@{AllowUnencrypted = “true”}’
Thanks for the article I have tried same approach as mentioned in the post but still I am facing same issue.
ansible output
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
ESTABLISH WINRM CONNECTION FOR USER: XXXXXXXXXXXXXXXXX on PORT XXXX TO XXXXXXXXXXXXXXXX
XXXXXXXXXXXX | UNREACHABLE! => {
“changed”: false,
“msg”: “plaintext: the specified credentials were rejected by the server”,
“unreachable”: true
}
I have cross checked all configurations in winrm all looks good for me.
Thanks,
It Worked for me.. Great work…!!!!!!!!!!!!!!!!
Thanks for the article I have tried another approach, but I used CredSSP approach. If you want to see please click here and let me know your view.
http://devopstechie.com/ansible-manage-windows-machine-with-ansible-by-credssp/
Thanks.. You are really great Ji…..