Linux, Utility, Windows

How To: Securely Manage Windows Server 2016 with Ansible & Active Directory

This is a follow-up from my previous guide on How To: Manage Windows Server 2016 with Ansible (the dirty and quick way). Whereas the previous guide focused on getting you connected to the Windows Server 2016 endpoints by any means this guide attempts to achieve the same end result but in a more secure way utilising Active Directory kerberos authentication over a HTTPS WinRM connection.

This guide assumes that you have continued on from the following guides in this order:

  1. How To: Install Ansible on Red Hat Enterprise Linux 7 (RHEL 7)
  2. How To: Manage Windows Server 2016 with Ansible

Step 1 – Install required packages

Step 2 – Configure Kerberos

2.1 Modify /etc/krb5.conf by opening it with sudo:
sudo nano /etc/krb5.conf

2.2 Make sure you change the domain and domain controllers with your ones and keep it in CAPITALS as the Kerberos client is case sensitive:

2.3 Test Kerberos connectivity:

2.4 To confirm that you have a Kerberos token you can execute  klist

2.5 If you use lower case or if you have a miss-configuration in the /etc/krb5.conf  file you will get similar results:

Step 3 – Configure our Ansible hosts & vars:

3.1 Now that we can authenticate with Kerberos lets setup our Ansible group variables. If you are continuing from my previous guide – How To: Manage Windows Server 2016 with Ansible we’ll open our group_vars/windows.yml  vars:
nano group_vars/windows.yml

3.2 We enter/re-enter/change our details to:

3.3 Then we make sure that we use FQDNs instead of IP addresses by editing our inventory.yml :
nano inventory.yml

3.4 It should look like so:

Step 4 – Configuring the Windows Server 2016 Hosts

4.1 Now that we have configured our Ansible controller for Kerberos authentication we need to ready our  windows environments to do so we easily & simply execute the Configure a Windows host for remote management with Ansible PowerShell script on our desired host(s):

4.2 Upon successful configuration you should see the following output:

Step 5 – Kerberos Testing

5.1 Now we are ready to test

  1. We clear any cached Kerberos token
    kdestroy -A
  2. We get a new Kerberos token
    kinit asecor
  3. And now we execute our Ansible command
    ansible windows -i inventory.yml -m win_ping
  4. And if all successful we should get the following output

    Done – now we are ready to execute commands, modules or playbooks!

Troubleshooting Tips

> Make sure you create your kerberos token with  kinit asecor

> Make sure that the required python kerberos packages are installed –  sudo pip install kerberos requests_kerberos

Other things to watch out for:

  • make sure that domain related settings in  /etc/krb5.conf  are in capitals
  • make sure that you are using FQDNs for the target hosts
  • make sure that you have a Kerberos token
  • make sure your DNS settings are in order that you can ping your hosts
  • make sure that you test WinRM from another Windows system with the Test-WSMan  PowerShell command

     

 

 

twitterredditpinterestlinkedinmail

One Comment

  1. Hi there Corin!
    Thanks a lot for this post! I´ve been nearly hitting my head on the wall to solve this authentication issue.
    This little trick about run kinit before run the ansible-playbook saved my skin 🙂 I still didn´t decide if I´m gonna use Kerberos or NTLM to manage my Windows hosts with Ansible, but at least now, Kerberos is working.
    Thanks again!
    Cheers from Brazil!
    VC

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *