Setup WinRM for Ansible with Certificate Authentication in 8 Easy Steps

13 Comments



A complete guide on how to setup a Production windows machine with WinRM over HTTPS using Certificate Authentication. This will allow communication between the ansible server and the windows host in order to configure it. All the scripts used in this video are in the git repository linked below.

Previous Video: https://youtu.be/FkBX7DXTDc0
Github Repository: https://github.com/devopssolver/ansible-winrm-cert-auth

Table of Contents:
► 00:21 – Step 1: Create Client Certificates
► 01:38 – Step 2: Install Client Certs on Win Server
► 03:01 – Step 3: Enable WinRM Service on Win Server
► 03:55 – Step 4: Create Certificates on Win Server
► 04:34 – Step 5: Setup Ansible User on Win Server
► 05:23 – Step 6: Create WinRM Https Listener
► 06:16 – Step 7: Allow WinRM Https Port on Win Server
► 06:35 – Step 8: Setup and Test Ansible

Resources:
► Adam The Automator Blog Post – https://adamtheautomator.com/winrm-https-ansible/?utm_source=adamtheautomator&utm_medium=website&utm_campaign=search

source

13 Comments
    • blank
      Sunny Bhatia
      May 09, 2022 19:54 pm Reply

      Thank You very much for this video.I like it.
      But while working I am facing one error while running create_ansible_user.ps1.
      it says
      New-Item : The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be

      verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account

      and try again.
      Can you help?

    • blank
      _ Oly _
      May 09, 2022 19:54 pm Reply

      Probably the best video I have seen on this topic..thanks

    • blank
      Clinton Ryan Manigsaca
      May 09, 2022 19:54 pm Reply

      Is it possible to use only 1 certificate for all my windows servers?

      That way I do not have to generate and signed each one of them.

      I have about 100+ servers so it can be a bit difficult to maintain.

    • blank
      Varune Pundit
      May 09, 2022 19:54 pm Reply

      Thank you for this! Very useful. One question, can you use a domain ID instead of a local account?

    • blank
      SSP
      May 09, 2022 19:54 pm Reply

      Hi @DevOpsLab ,

      While using the powershell script create_ansible_user.ps1, I am getting below error:

      New-Item : The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a

      non-domain account and try again.

      At C:TempClient_certcreate_ansible_user.ps1:51 char:1

      + New-Item @params

      + ~~~~~~~~~~~~~~~~

      + CategoryInfo : NotSpecified: (:) [New-Item], InvalidOperationException

      + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.NewItemCommand

      It would be great if you could help.

    • blank
      Farid Nasiri
      May 09, 2022 19:54 pm Reply

      Thanks for excellent article and video . what could be the reason of this error ?the server is pingable .
      fatal: [chq-dsctest.abcd..com]: UNREACHABLE! => {"changed": false, "msg": "certificate: HTTPSConnectionPool(host='chq-dsctest.abcd..com', port=5986): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))", "unreachable": true}

    • blank
      duplex work
      May 09, 2022 19:54 pm Reply

      Hello, I have getting error when I generating client auth certificate using openssl cmd

      I verified requirements all is fine but still getting below openssl error.

      Please help me this out..

      openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out client_cert.pem -outform PEM -keyout client_key.pem -subj "/CN=ansible" -extensions v3_req_client

      Error:

      140010270967696:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 5

      openssl.conf:

      distinguished_name = req_distinguished_name

      [req_distinguished_name]

      [v3_req_client]

      extendedKeyUsage = clientAuth

      subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$ansible@localhost

      Installed Packages

      openssl.x86_64 1:1.0.2k-21.el7_9 @rhel-x86_64-server-7

      Red Hat Enterprise Linux Server release 7.9 (Maipo)

    • blank
      stormalf summoners war
      May 09, 2022 19:54 pm Reply

      many thanks very clear detailed and useful. Now ansible on wsl2 works well with windows using winrm and ssl certificate!

    • blank
      Warley Vinicius
      May 09, 2022 19:54 pm Reply

      Hello you can help me with authentication using Kerberos (Using Active Directory on Windows)?

    • blank
      Nimish Chandra
      May 09, 2022 19:54 pm Reply

      Hello I have done all the step successfully but somehow i am able to connect getting ""msg": "certificate: the specified credentials were rejected by the server",

      "unreachable": true
      " please help.

    • blank
      Ari Prince
      May 09, 2022 19:54 pm Reply

      Pretty impressive tutorial, but am having an issue with script 6 creating winrm https listener.
      Could you please help me to solve this problem?

    • blank
      David McKee
      May 09, 2022 19:54 pm Reply

      I'm not going to lie, this video is brilliant. It's so incredibly helpful, thank you for taking the time to create and share it. Topics like this don't have enough online support to help the tech industry become knowledgeable of these topics. This is very precise, and looks to cover all the steps needed. Great Job!

    • blank
      Tài Phạm Quý
      May 09, 2022 19:54 pm Reply

      Hey bro, can you help me ? Why I have an issue at step 6 ?
      Error: the winrm client cannot process the request. the certificate structure was incomplete
      Thanks a lot

Leave us a comment