Linux, Utility, Windows

How To: Securely Manage Windows Server 2016 with Ansible & Active Directory

This is a follow-up from my previous guide on How To: Manage Windows Server 2016 with Ansible (the dirty and quick way). Whereas the previous guide focused on getting you connected to the Windows Server 2016 endpoints by any means this guide attempts to achieve the same end result but in a more secure way utilising Active Directory kerberos authentication over a HTTPS WinRM connection.

This guide assumes that you have continued on from the following guides in this order:

  1. How To: Install Ansible on Red Hat Enterprise Linux 7 (RHEL 7)
  2. How To: Manage Windows Server 2016 with Ansible

Step 1 – Install required packages

yum -y install python-devel krb5-devel krb5-libs krb5-workstation pam_krb5
sudo pip install kerberos requests_kerberos

Step 2 – Configure Kerberos

2.1 Modify /etc/krb5.conf by opening it with sudo:
sudo nano /etc/krb5.conf

2.2 Make sure you change the domain and domain controllers with your ones and keep it in CAPITALS as the Kerberos client is case sensitive:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = NOKITEL.IM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 NOKITEL.IM = {
 kdc = labdc03.nokitel.im
 #admin_server = labdc03.nokitel.im
 kpasswd_server = labdc03.nokitel.im
 default_domain = nokitel.im

 }

[domain_realm]
 .nokitel.im = NOKITEL.IM
 #nokitel.im = NOKITEL.IM

2.3 Test Kerberos connectivity:

[asecor@labansc ~]$ kinit asecor
Password for asecor@NOKITEL.IM:
[asecor@labansc ~]$

2.4 To confirm that you have a Kerberos token you can execute klist

[asecor@labansc anskerb]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: asecor@NOKITEL.IM

Valid starting       Expires              Service principal
11/10/2016 12:47:12  11/10/2016 22:47:12  krbtgt/NOKITEL.IM@NOKITEL.IM
        renew until 11/17/2016 12:47:10

2.5 If you use lower case or if you have a miss-configuration in the /etc/krb5.conf  file you will get similar results:

[asecor@labansc ~]$ kinit asecor
Password for asecor@nokitel.im:
kinit: KDC reply did not match expectations while getting initial credentials

Step 3 – Configure our Ansible hosts & vars:

3.1 Now that we can authenticate with Kerberos lets setup our Ansible group variables. If you are continuing from my previous guide – How To: Manage Windows Server 2016 with Ansible we’ll open our group_vars/windows.yml  vars:
nano group_vars/windows.yml

3.2 We enter/re-enter/change our details to:

ansible_user: asecor@NOKITEL.IM
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

3.3 Then we make sure that we use FQDNs instead of IP addresses by editing our inventory.yml :
nano inventory.yml

3.4 It should look like so:

[windows]
labwans01.nokitel.im

Step 4 – Configuring the Windows Server 2016 Hosts

4.1 Now that we have configured our Ansible controller for Kerberos authentication we need to ready our  windows environments to do so we easily & simply execute the Configure a Windows host for remote management with Ansible PowerShell script on our desired host(s):

# Configure a Windows host for remote management with Ansible
# -----------------------------------------------------------
#
# This script checks the current WinRM/PSRemoting configuration and makes the
# necessary changes to allow Ansible to connect, authenticate and execute
# PowerShell commands.
#
# Set $VerbosePreference = "Continue" before running the script in order to
# see the output messages.
# Set $SkipNetworkProfileCheck to skip the network profile check.  Without
# specifying this the script will only run if the device's interfaces are in
# DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
# a device with an interface in PUBLIC zone.
#
# Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert
# must be forced on the WinRM Listener when re-running this script. This
# is necessary when a new SID and CN name is created.
#
# Written by Trond Hindenes <trond@hindenes.com>
# Updated by Chris Church <cchurch@ansible.com>
# Updated by Michael Crilly <mike@autologic.cm>
# Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
#
# Version 1.0 - July 6th, 2014
# Version 1.1 - November 11th, 2014
# Version 1.2 - May 15th, 2015
# Version 1.3 - April 4th, 2016

Param (
    [string]$SubjectName = $env:COMPUTERNAME,
    [int]$CertValidityDays = 365,
    [switch]$SkipNetworkProfileCheck,
    $CreateSelfSignedCert = $true,
    [switch]$ForceNewSSLCert
)

Function New-LegacySelfSignedCert
{
    Param (
        [string]$SubjectName,
        [int]$ValidDays = 365
    )

    $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
    $name.Encode("CN=$SubjectName", 0)

    $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1"
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    $key.KeySpec = 1
    $key.Length = 1024
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
    $key.MachineContext = 1
    $key.Create()

    $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1"
    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
    $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1"
    $ekuoids.Add($serverauthoid)
    $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
    $ekuext.InitializeEncode($ekuoids)

    $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1"
    $cert.InitializeFromPrivateKey(2, $key, "")
    $cert.Subject = $name
    $cert.Issuer = $cert.Subject
    $cert.NotBefore = (Get-Date).AddDays(-1)
    $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
    $cert.X509Extensions.Add($ekuext)
    $cert.Encode()

    $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1"
    $enrollment.InitializeFromRequest($cert)
    $certdata = $enrollment.CreateRequest(0)
    $enrollment.InstallResponse(2, $certdata, 0, "")

    # Return the thumbprint of the last installed certificate;
    # This is needed for the new HTTPS WinRM listerner we're
    # going to create further down.
    Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint
}

# Setup error handling.
Trap
{
    $_
    Exit 1
}
$ErrorActionPreference = "Stop"

# Detect PowerShell version.
If ($PSVersionTable.PSVersion.Major -lt 3)
{
    Throw "PowerShell version 3 or higher is required."
}

# Find and start the WinRM service.
Write-Verbose "Verifying WinRM service."
If (!(Get-Service "WinRM"))
{
    Throw "Unable to find the WinRM service."
}
ElseIf ((Get-Service "WinRM").Status -ne "Running")
{
    Write-Verbose "Starting WinRM service."
    Start-Service -Name "WinRM" -ErrorAction Stop
    Write-Verbose "Setting WinRM service to start automatically on boot."
    Set-Service -Name "WinRM" -StartupType Automatic
}

# WinRM should be running; check that we have a PS session config.
If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
{
  if ($SkipNetworkProfileCheck) {
    Write-Verbose "Enabling PS Remoting without checking Network profile."
    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
  }
  else {
    Write-Verbose "Enabling PS Remoting"
    Enable-PSRemoting -Force -ErrorAction Stop
  }
}
Else
{
    Write-Verbose "PS Remoting is already enabled."
}

# Make sure there is a SSL listener.
$listeners = Get-ChildItem WSMan:\localhost\Listener
If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))
{
    # HTTPS-based endpoint does not exist.
    If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
    {
        $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
        $thumbprint = $cert.Thumbprint
        Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
    }
    Else
    {
        $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
        Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
    }

    # Create the hashtables of settings to be used.
    $valueset = @{}
    $valueset.Add('Hostname', $SubjectName)
    $valueset.Add('CertificateThumbprint', $thumbprint)

    $selectorset = @{}
    $selectorset.Add('Transport', 'HTTPS')
    $selectorset.Add('Address', '*')

    Write-Verbose "Enabling SSL listener."
    New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
}
Else
{
    Write-Verbose "SSL listener is already active."
    
    # Force a new SSL cert on Listener if the $ForceNewSSLCert
    if($ForceNewSSLCert){
        
        # Create the new cert.
        If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
        {
            $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
            $thumbprint = $cert.Thumbprint
            Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
        }
        Else
        {
            $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
            Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
        }

        $valueset = @{}
        $valueset.Add('Hostname', $SubjectName)
        $valueset.Add('CertificateThumbprint', $thumbprint)

        # Delete the listener for SSL
        $selectorset = @{}
        $selectorset.Add('Transport', 'HTTPS')
        $selectorset.Add('Address', '*')
        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset

        # Add new Listener with new SSL cert
        New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
    }
}

# Check for basic authentication.
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"}
If (($basicAuthSetting.Value) -eq $false)
{
    Write-Verbose "Enabling basic auth support."
    Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
}
Else
{
    Write-Verbose "Basic auth is already enabled."
}

# Configure firewall to allow WinRM HTTPS connections.
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
If ($fwtest1.count -lt 5)
{
    Write-Verbose "Adding firewall rule to allow WinRM HTTPS."
    netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
}
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))
{
    Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile."
    netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any
}
Else
{
    Write-Verbose "Firewall rule already exists to allow WinRM HTTPS."
}

# Test a remoting connection to localhost, which should work.
$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue
$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue

If ($httpResult -and $httpsResult)
{
    Write-Verbose "HTTP: Enabled | HTTPS: Enabled"
}
ElseIf ($httpsResult -and !$httpResult)
{
    Write-Verbose "HTTP: Disabled | HTTPS: Enabled"
}
ElseIf ($httpResult -and !$httpsResult)
{
    Write-Verbose "HTTP: Enabled | HTTPS: Disabled"
}
Else
{
    Throw "Unable to establish an HTTP or HTTPS remoting session."
}
Write-Verbose "PS Remoting has been successfully configured for Ansible."

4.2 Upon successful configuration you should see the following output:

Write-Verbose "PS Remoting has been successfully configured for Ansible."
Self-signed SSL certificate generated; thumbprint: 1370197C02EF743C349245B9DD843D229B09C4EF


wxf                 : http://schemas.xmlsoap.org/ws/2004/09/transfer
a                   : http://schemas.xmlsoap.org/ws/2004/08/addressing
w                   : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
lang                : en-US
Address             : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters : ReferenceParameters

Ok.

Step 5 – Kerberos Testing

5.1 Now we are ready to test

  1. We clear any cached Kerberos token
    kdestroy -A
  2. We get a new Kerberos token
    kinit asecor
  3. And now we execute our Ansible command
    ansible windows -i inventory.yml -m win_ping
  4. And if all successful we should get the following output
    labwans01.nokitel.im | SUCCESS => {
        "changed": false,
        "ping": "pong"
    }

    Done – now we are ready to execute commands, modules or playbooks!

Troubleshooting Tips

labwans01.nokitel.im | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), (\"Can't find client principal asecor@NOKITEL.IM in cache collection\", -1765328243)), ssl: auth method ssl requires a password",
    "unreachable": true
}

> Make sure you create your kerberos token with kinit asecor

labwans01.nokitel.im | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: requested auth method is kerberos, but requests_kerberos is not installed, plaintext: auth method plaintext requires a password",
    "unreachable": true
}

> Make sure that the required python kerberos packages are installed – sudo pip install kerberos requests_kerberos

Other things to watch out for:

  • make sure that domain related settings in /etc/krb5.conf  are in capitals
  • make sure that you are using FQDNs for the target hosts
  • make sure that you have a Kerberos token
  • make sure your DNS settings are in order that you can ping your hosts
  • make sure that you test WinRM from another Windows system with the Test-WSMan  PowerShell command
    PS C:\Windows\system32> Test-WSMan labwans01.nokitel.im
    
    wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor   : Microsoft Corporation
    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

     

 

 

twitterredditpinterestlinkedinmail

4 Comments to “How To: Securely Manage Windows Server 2016 with Ansible & Active Directory”

  1. Hi there Corin!
    Thanks a lot for this post! I´ve been nearly hitting my head on the wall to solve this authentication issue.
    This little trick about run kinit before run the ansible-playbook saved my skin 🙂 I still didn´t decide if I´m gonna use Kerberos or NTLM to manage my Windows hosts with Ansible, but at least now, Kerberos is working.
    Thanks again!
    Cheers from Brazil!
    VC

    Reply
  2. Just wanted to comment and thank you for this post. It was very helpful in getting Kerberos set up and working. I really enjoyed the troubleshooting steps too, many articles seem to forget those. Thanks for making Kerberos seem less intimidating!

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *