I believe https://github.com/ansible/ansible/issues/34552 may be from yourself as well, I'll post my response here to go into a bit more detail.
By default, the winrm connector inside Ansible uses basic auth as the transport authentication mechanism. You can see this happening as your error message says "msg": "ssl: the specified credentials were rejected by the server", Due to the way that pywinrm was originally written, "ssl" means that basic auth over HTTPS was done and we can't change this without breaking various people's playbooks that may rely on this behaviour. When specifying an ansible_user in the UPN format (username@REALM), the Ansible code picks this up as you want to authenticate with a domain account and will automatically change the selected auth mechanism from "ssl" to "kerberos" so theoretically all you need to do is change your username to use the UPN format, e.g. set *ansible_user: sys_ansi...@ger.corp.company.com *in your inventory. I prefer to take it a step further where you explicitly state what auth you want to use to avoid default behaviour like this from occuring, you can do this by setting *ansible_winrm_transport: kerberos*. When this is set you can keep the username in the current format and the underlying libraries will parse it for you. Ultimately what I would personally do is set your group_vars to be ansible_user: sys_ansi...@ger.corp.company.com ansible_password: "password" ansible_port: 5986 ansible_connection: winrm ansible_winrm_transport: kerberos ansible_winrm_scheme: https ansible_winrm_server_cert_validation: ignore Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/70350037-7b4b-43ab-b984-6202a06a16f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
