Thanks Jon, good to see it's being well maintained. Had already gone down
the route of the self-signed cert via Powershell unfortunately.
I ran the ConfigureForAnsible.ps1 just in case I had missed something.
Seems like the same issue though:
<xx.xx.xx.xx> ESTABLISH WINRM CONNECTION FOR USER: ansible_user@DOMAIN on
PORT 5986 TO xx.xx.xx.xx
Server.domain | UNREACHABLE! => {
"changed": false,
"msg": "ntlm: ('Connection aborted.', error(104, 'Connection reset by
peer'))",
"unreachable": true
}
On Monday, June 6, 2016 at 2:35:39 PM UTC+2, J Hawkesworth wrote:
>
> Interesting.
>
> This change was recently added so you can force the
> ConfigureRemotingForAnsible.ps1 to generate a new self-signed cert by
> running like this:
>
> .\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert true
>
> https://github.com/ansible/ansible/pull/15275
>
> As its says in the PR 'This is necessary when a CN name changes and the
> self-signed cert is no longer valid and winRM is not allowing a connection
> because of winRM SSL validation errors.'
>
> Hope this helps,
>
> Jon
>
> On Monday, June 6, 2016 at 1:20:21 PM UTC+1, Mike Fennemore wrote:
>>
>> I'm beginning to think this might be as a result of the problem servers
>> being templated in VMWare perhaps?
>>
>> On Wednesday, June 1, 2016 at 7:41:50 PM UTC+2, Matt Davis wrote:
>>>
>>> Sorry, by "local user" I just meant using a non-domain user via
>>> pywinrm/Ansible. But yeah, for Basic to work, you'd have to (temporarily)
>>> enable unencrypted auth with something like:
>>>
>>> Set-Item WSMan:\localhost\Service\AllowUnencrypted $true
>>>
>>> The HTTPS_PROXY not working seems odd- I use it dozens of times a day...
>>> Sure you've got it exported? The problem is almost certainly on the
>>> control-machine side, as it'd just hang if the envvar worked and Fiddler
>>> wasn't configured properly.
>>>
>>> On Monday, May 30, 2016 at 12:45:48 AM UTC-7, Mike Fennemore wrote:
>>>>
>>>> For testing locally I'm assuming you mean Test-WSMan -Authentication
>>>> Basic -Credential <problem account> ? I am currently connecting on 5986
>>>> with ignore certificate validation turned on.
>>>> So in that case I would add -UseSSL switch on the Test-WSMan. Currently
>>>> running Test-WSMan -Authentication Basic -Credential <problem account>
>>>> gives:
>>>>
>>>> Test-WSMAN : <f:WSManFault xmlns:f="
>>>> http://schemas.microsoft.com/wbem/wsman/1/wsmanfault";
>>>> Code="2150858974" Machine="Server101"><f:Message>The WinRM client cannot
>>>> process the request. Unencrypted traffic is currently disabled in the
>>>> client configuration. Change the client configuration and try the request
>>>> again. </f:Message></f:WSManFault>
>>>> At line:1 char:1
>>>>
>>>> Normally I would say that would mean mean configuring AllowUnencrypted
>>>> on Winrm Client, however the other working systems do not have this
>>>> configured.
>>>>
>>>> Running Test-WSMAN -Authentication Negotiate -Credential "<user>"
>>>> -ComputerName localhost returns:
>>>>
>>>> wsmid :
>>>> http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
>>>> ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
>>>> ProductVendor : Microsoft Corporation
>>>> ProductVersion : OS: 6.3.9600 SP: 0.0 Stack: 3.0
>>>>
>>>> I will try the Fiddler method shortly and return the results.
>>>>
>>>> On Friday, May 27, 2016 at 7:48:53 PM UTC+2, Matt Davis wrote:
>>>>>
>>>>> Hey Mike,
>>>>>
>>>>> Unfortunately pywinrm currently has *zero* logging/diagnostic
>>>>> capabilities (something I'd like to correct for troubleshooting stuff
>>>>> like
>>>>> this). Meantime...
>>>>>
>>>>> A couple of things to try:
>>>>> - Does it work with Basic auth and a local user on that same box?
>>>>> - Any chance you could run with Fiddler in the middle? Just run
>>>>> Fiddler on some Windows box, configure it to capture/decrypt HTTPS and to
>>>>> allow external connection, then on your Ansible controller, export
>>>>> HTTPS_PROXY=http://(ip-of-fiddler-box):8888/ and go watch the fun.
>>>>>
>>>>> I'm mostly just curious where the connection reset is occurring, as
>>>>> there are numerous round-trips involved here (eg, is it NTLM auth
>>>>> failure,
>>>>> resource issue, or something else?).
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Matt
>>>>>
>>>>>
>>>>> On Friday, May 27, 2016 at 7:26:32 AM UTC-7, Mike Fennemore wrote:
>>>>>>
>>>>>> I have a selected few workgroup Windows server 2012 R2 servers that
>>>>>> give the following error:
>>>>>>
>>>>>> <10.128.44.37> ESTABLISH WINRM CONNECTION FOR USER: ansible_user on
>>>>>> PORT 5986 TO 10.128.44.37
>>>>>> server_101 | UNREACHABLE! => {
>>>>>> "changed": false,
>>>>>> "msg": "ntlm: ('Connection aborted.', error(104, 'Connection
>>>>>> reset by peer'))",
>>>>>> "unreachable": true
>>>>>> }
>>>>>>
>>>>>> I am using ntlm with Ansible 2.1.0.0 and pywinrm [kerberos] 2RC4. I
>>>>>> have tested the port is open, recreated the listeners, run a curl to the
>>>>>> server which delivers a successful 411 response.
>>>>>> Any ideas on further troubleshooting?
>>>>>>
>>>>>>
>>>>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/db3c8f21-bb30-4244-b27f-c4f4cd796016%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
