Ansible is not just for Linux. It can also be used for Windows servers automation. This article will explain how to prepare windows servers for Ansible automation. Ansible uses WinRM protocol to establish a connection with Windows hosts. (i.e Linux/Unix like hosts uses SSH protocol). Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host. Windows Server 2008 R1 will not meet the ansible requirement and mandatory components need to be upgraded. Windows Server 2008 R2 and later releases are shipping with all the required components to support ansible.
WinRM Port Details:
- WinRM http Port – 5985
- WinRM https Port – 5986 (HTTPS)
It’s always recommended to use a secure port (https) for Ansible automation. Passing plain text password via the insecure port is not supported. Please go through this article to learn more about the various WinRM setup.
Option | Local Accounts | Active Directory Accounts | Credential Delegation | HTTP Encryption |
---|---|---|---|---|
Basic | Yes | No | No | No |
Certificate | Yes | No | No | No |
Kerberos | No | Yes | Yes | Yes |
NTLM | Yes | Yes | No | Yes |
CredSSP | Yes | Yes | Yes | Yes |
Here, we will be talking about the basic authentication method over https.
1. Login to windows server as an administrator and execute the sequence of commands to setup WinRM for Ansible in Powershell.
Here are the commands to copy & paste to PowerShell terminal.
PS C:\Users\Administrator> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" PS C:\Users\Administrator> $file = "$env:temp\ConfigureRemotingForAnsible.ps1" PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file Self-signed SSL certificate generated; thumbprint: 5FAF0EAEF69EBB15A6B7CB9C80C29884D2F381C1 wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer a : http://schemas.xmlsoap.org/ws/2004/08/addressing w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd lang : en-US Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters : ReferenceParameters Ok. PS C:\Users\Administrator>
2. If you do not have internet connection on the windows host, you can download this PowerShell script and execute it locally. Rename the file extenstion after downloading it. Execute the script in powershell terminal to setup WinRM for Ansible.
PS C:\Users\Administrator\Desktop> .\Setup-winrm-For-Ansible.ps1 Self-signed SSL certificate generated; thumbprint: 79FBCADD70DFDS778D5A4E220FA0911A72C21963E4B wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer a : http://schemas.xmlsoap.org/ws/2004/08/addressing w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd lang : en-US Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous ReferenceParameters : ReferenceParameters Ok. PS C:\Users\Administrator\Desktop>
3. Check for the window authentication method status.
PS C:\Users\Administrator\Desktop> Get-ChildItem WSMan:\localhost\Service\Auth WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth Type Name SourceOfValue Value ---- ---- ------------- ----- System.String Basic true System.String Kerberos true System.String Negotiate true System.String Certificate false System.String CredSSP false System.String CbtHardeningLevel Relaxed
4. Run the following command to get the WinRM configuration.
PS C:\Users\Administrator\Desktop> winrm get winrm/config Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 60000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true Winrs AllowRemoteShellAccess = true IdleTimeout = 7200000 MaxConcurrentUsers = 10 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 25 MaxMemoryPerShellMB = 1024 MaxShellsPerUser = 30 PS C:\Users\Administrator\Desktop>
5. Login to Ansible server and install “pywinrm” pythonn module to support WinRM protocal.
[root@ansible-server ~]# pip install pywinrm Collecting pywinrm Using cached https://files.pythonhosted.org/packages/0d/12/13a3117bbd2230043aa32dcfa2198c33269665eaa1a8fa26174ce49b338f/pywinrm-0.3.0-py2.py3-none-any.whl Requirement already satisfied: xmltodict in /usr/lib/python2.7/site-packages (from pywinrm) (0.11.0) Collecting requests>=2.9.1 (from pywinrm) Using cached https://files.pythonhosted.org/packages/ff/17/5cbb026005115301a8fb2f9b0e3e8d32313142fe8b617070e7baad20554f/requests-2.20.1-py2.py3-none-any.whl Collecting requests-ntlm>=0.3.0 (from pywinrm) Using cached https://files.pythonhosted.org/packages/03/4b/8b9a1afde8072c4d5710d9fa91433d504325821b038e00237dc8d6d833dc/requests_ntlm-1.1.0-py2.py3-none-any.whl
6. Create windows host inventory like following for testing.
[wintel] 192.168.2.16 [wintel:vars] ansible_user=administrator ansible_password=Password@123 ansible_connection=winrm ansible_winrm_server_cert_validation=ignore
7. Try to ping the Wintel host using Ansible ping module.
[root@ansible-server UnixArena_Project]# ansible all -i hosts_wintel -m win_ping 192.168.2.16 | SUCCESS => { "changed": false, "ping": "pong" } [root@ansible-server UnixArena_Project]#
We have got the ping pong result which confirms that Ansible is able to establish the connection with windows server.
We have successfully configured windows server to support ansible automation. Share it! Comment it !! Be Sociable !!
Mike says
I am trying to do it over credssp .. Could you please help I got this error, credssp encrypt the password and then it more secure . Could you please help and guide me with a step by step guide
UNREACHABLE! => {
“changed”: false,
“msg”: “credssp: Server did not response with a CredSSP token after step Step 1. TLS Handshake – actual ””,
“unreachable”: true
Shubhi Johri says
Hi ,
Thanks for the solution !! I am facing an issue please assist.
While running command as you suggested
PS C:\Users\Administrator> $url =”https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1″
PS C:\Users\Administrator> $file = “$env:temp\ConfigureRemotingForAnsible.ps1”
PS C:\Users\Administrator> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\Users\Administrator> powershell.exe -ExecutionPolicy ByPass -File $file
No output is coming and certificate is not getting generated. Please help!!