Ansible is not just for Linux. It can also be used for Windows servers automation. This article will explain how to prepare windows servers for Ansible automation. Ansible uses WinRM protocol to establish a connection with Windows hosts. (i.e Linux/Unix like hosts uses SSH protocol). Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host. Windows Server 2008 R1 will not meet the ansible requirement and mandatory components need to be upgraded. Windows Server 2008 R2 and later releases are shipping with all the required components to support ansible.
WinRM Port Details:
- WinRM http Port – 5985
- WinRM https Port – 5986 (HTTPS)
It’s always recommended to use a secure port (https) for Ansible automation. Passing plain text password via the insecure port is not supported. Please go through this article to learn more about the various WinRM setup.
| Option | Local Accounts | Active Directory Accounts | Credential Delegation | HTTP Encryption |
|---|---|---|---|---|
| Basic | Yes | No | No | No |
| Certificate | Yes | No | No | No |
| Kerberos | No | Yes | Yes | Yes |
| NTLM | Yes | Yes | No | Yes |
| CredSSP | Yes | Yes | Yes | Yes |
Here, we will be talking about the basic authentication method over https.
1. Login to windows server as an administrator and execute the sequence of commands to setup WinRM for Ansible in Powershell.
Here are the commands to copy & paste to PowerShell terminal.
PS C:\Users\Administrator> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" PS C:\Users\Administrator> $file = "$env:temp\ConfigureRemotingForAnsible.ps1" PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file Self-signed SSL certificate generated; thumbprint: 5FAF0EAEF69EBB15A6B7CB9C80C29884D2F381C1 wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer a : http://schemas.xmlsoap.org/ws/2004/08/addressing w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd lang : en-US Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters : ReferenceParameters Ok. PS C:\Users\Administrator>
2. If you do not have internet connection on the windows host, you can download this PowerShell script and execute it locally. Rename the file extenstion after downloading it. Execute the script in powershell terminal to setup WinRM for Ansible.
PS C:\Users\Administrator\Desktop> .\Setup-winrm-For-Ansible.ps1 Self-signed SSL certificate generated; thumbprint: 79FBCADD70DFDS778D5A4E220FA0911A72C21963E4B wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer a : http://schemas.xmlsoap.org/ws/2004/08/addressing w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd lang : en-US Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters : ReferenceParameters Ok. PS C:\Users\Administrator\Desktop>
3. Check for the window authentication method status.
PS C:\Users\Administrator\Desktop> Get-ChildItem WSMan:\localhost\Service\Auth WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth Type Name SourceOfValue Value ---- ---- ------------- ----- System.String Basic true System.String Kerberos true System.String Negotiate true System.String Certificate false System.String CredSSP false System.String CbtHardeningLevel Relaxed
4. Run the following command to get the WinRM configuration.
PS C:\Users\Administrator\Desktop> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
PS C:\Users\Administrator\Desktop>
5. Login to Ansible server and install “pywinrm” pythonn module to support WinRM protocal.
[root@ansible-server ~]# pip install pywinrm Collecting pywinrm Using cached https://files.pythonhosted.org/packages/0d/12/13a3117bbd2230043aa32dcfa2198c33269665eaa1a8fa26174ce49b338f/pywinrm-0.3.0-py2.py3-none-any.whl Requirement already satisfied: xmltodict in /usr/lib/python2.7/site-packages (from pywinrm) (0.11.0) Collecting requests>=2.9.1 (from pywinrm) Using cached https://files.pythonhosted.org/packages/ff/17/5cbb026005115301a8fb2f9b0e3e8d32313142fe8b617070e7baad20554f/requests-2.20.1-py2.py3-none-any.whl Collecting requests-ntlm>=0.3.0 (from pywinrm) Using cached https://files.pythonhosted.org/packages/03/4b/8b9a1afde8072c4d5710d9fa91433d504325821b038e00237dc8d6d833dc/requests_ntlm-1.1.0-py2.py3-none-any.whl
6. Create windows host inventory like following for testing.
[wintel] 192.168.2.16 [wintel:vars] ansible_user=administrator ansible_password=Password@123 ansible_connection=winrm ansible_winrm_server_cert_validation=ignore
7. Try to ping the Wintel host using Ansible ping module.
[root@ansible-server UnixArena_Project]# ansible all -i hosts_wintel -m win_ping
192.168.2.16 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@ansible-server UnixArena_Project]#
We have got the ping pong result which confirms that Ansible is able to establish the connection with windows server.
We have successfully configured windows server to support ansible automation. Share it! Comment it !! Be Sociable !!
Mike says
I am trying to do it over credssp .. Could you please help I got this error, credssp encrypt the password and then it more secure . Could you please help and guide me with a step by step guide
UNREACHABLE! => {
“changed”: false,
“msg”: “credssp: Server did not response with a CredSSP token after step Step 1. TLS Handshake – actual ””,
“unreachable”: true
Shubhi Johri says
Hi ,
Thanks for the solution !! I am facing an issue please assist.
While running command as you suggested
PS C:\Users\Administrator> $url =”https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1″
PS C:\Users\Administrator> $file = “$env:temp\ConfigureRemotingForAnsible.ps1”
PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file
No output is coming and certificate is not getting generated. Please help!!