This is most likely the double hop problem where the WinRM process on the
Windows side is unable to authenticate itself when talking to a downstream
server [1]
There are a few ways you can solve this
- Use become on the task [2]
- Use CredSSP as your authentication protocol with WinRM
- Setup Kerberos delegation through either
- Unconstrained delegation
- Constrained delegation
- Resource based delegation
Thanks
Jordan
[1]
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
[2]
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-and-windows
On Tuesday, May 2, 2023 at 11:27:32 AM UTC+10 Gregory Machin wrote:
> Hi,
>
> I'm currently testing using AWX as an API to run PowerShell commands via
> ansible playbooks.
>
> I'm currently testing using the Get-AD user command as this is close to
> what I'll be doing.
>
> I'm using the following Ansible playbook
>
> - name: Test Extra Variables and PowerShell Command
> hosts: all
> collections:
> tasks:
> - name: Show Extra Variables
> debug:
> msg:
> - "NewUserName: {{ NewUserName }}"
> - "UserManager: {{ UserManager }}"
>
> - name: Run PowerShell Command with SYSTEM account
> ansible.windows.win_shell: |
> whoami
> Test-NetConnection server.Domain.local -port 9389
> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
> -NextClosestSite
> Get-ADUser -Identity {{ NewUserName }}
> register: result
>
> - name: Show PowerShell Command Result
> debug:
> var: result.stdout_lines
>
> but get-ADUser errors with :
>
> Get-ADUser : Unable to contact the server. This may be because this server
> does not exist, it is currently down, or it
> does not have the Active Directory Web Services running.
> At line:4 char:1
> + Get-ADUser -Identity bbuilder
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : ResourceUnavailable: (bbuilder:ADUser)
> [Get-ADUser], ADServerDownException
> + FullyQualifiedErrorId :
> ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
>
> but I don't have any issues running Get-ADUser under my account or the
> service account used for the playbook on the same server.
>
> the following in the playbook work as expected:
> Test-NetConnection server.Domain.local -port 9389
> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
> -NextClosestSite
>
> It feels like there is something missing PowerShell environment used by
> Ansible, but I cant see what could cause this.
>
> Please advise.
>
> thank you
> G
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b1e7c4ba-bf43-4fc3-9cab-153c70f5107en%40googlegroups.com.
