Managing Microsoft Windows servers with Ansible requires a few configuration steps to get Ansible authentication working. The Ansible Guide to Windows provides lots of options and information to accomplish this task. This article will focus on the two easiest options for Windows Remote Management (WinRM): Basic and Kerberos.

I am assuming that you are running Ansible version 2.7 or higher to manage a Microsoft Windows 2012 (or newer) server. If you are running a lower version of Windows, be sure to follow the steps to upgrade to PowerShell 3.0 and install the WinRM Memory hotfix.

WinRM is configured by default with NTLM and Kerberos authentication enabled, and current versions of Microsoft Windows servers have a suitable version of PowerShell available.

WinRM Basic Authentication

This is the easiest and least secure authentication method to configure, but it will get you up and running with a standalone server in a matter of minutes. If your server is a member of an MSAD Domain, I would suggest you use Kerberos authentication as explained below.

There are two steps for configuring Basic authentication:

• Create the ansible user and add to the local Administrators group. Use whatever method you are comfortable with for this step. Be sure to disable the change password at first login, set the account password to never expire, and include the ansible local user in the Administrators local group.

• Enable WinRM for Basic Authentication.

To enable Basic Authentication, open a PowerShell window as the Administrator:

Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
Set-Item -Path "WSMan:\localhost\Service\AllowUnencrypted" -Value $true

The key step for Basic authentication is enabling AllowUnencrypted because we are using the HTTP transport, which is inherently insecure. This setting is documented (and not recommended in Production environments) but easy to miss. This is a lab environment, so allowing insecure communication is not as critical.

In your inventory for this host or group, you will need the following settings (assuming you use “ansible” as the user):

ansible_user: "ansible"
ansible_password: "MyPassword"
ansible_connection: "winrm"
ansible_port: 5985
ansible_winrm_transport: "basic"

You can test the connection with the “win_ping” Ansible module.

$ ansible -m win_ping -i inventory/sample.yml win160.sample.com
win160.sample.com | SUCCESS => {
    "changed": false,
    "ping": "pong"
},/span>

WinRM Kerberos Authentication

On a MSAD Domain member server, the configuration is easier on the server end as you only need to ensure the ansible user (or group) is added to the local Administrators group. WinRM is already enabled for Kerberos authentication. You could add the ansible user to the Domain Admins group, but I prefer to create a separate group in MSAD for Ansible and add this group to the server local Administrators group.

On your Ansible Control server you need to install the Kerberos libraries and Python wrapper; then configure the Kerberos client. I have created two playbooks to automate these tasks. The first playbook (winrm_kerberos_installation.yml) installs the required software and the second playbook (winrm_kerberos_configuration.yml) configures the Kerberos client.

The winrm_kerberos_installation.yml playbook automates Installing the Kerberos Library and Python Kerberos wrapper on the Ansible Control node. No inventory is required assuming you are installing locally.

$ ansible-playbook playbooks/winrm_kerberos_installation.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that 
the implicit localhost does not match 'all'

PLAY [Install WinRM Kerberos Dependencies] *

TASK [Gathering Facts] *
ok: [localhost]

TASK [Start] *
ok: [localhost] => {}

MSG:

2020-12-22 14:55:03

TASK [Install Required Packages - RedHat/CentOS] *
changed: [localhost]

TASK [Install Required Packages - Debian/Ubuntu] *
skipping: [localhost]

TASK [Install python winrm wrapper] *
changed: [localhost]

PLAY RECAP *
localhost                  : ok=2    changed=2    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Next, add the winrm_kerberos_config variable to your inventory main file (inventory/sample.yml in the tutorial project).

    winrm_kerberos_config:
      domain: "sample.com"
      kdc:
      - "dc1.sample.com"
      - "dc2.sample.com"

Thirdly, run the winrm_kerberos_configuration.yml playbook to configure the Kerberos client.

$ ansible-playbook -i inventory/sample.yml playbooks/winrm_kerberos_configuration.yml

PLAY [Configure WinRM Kerberos] *

TASK [Gathering Facts] *
ok: [localhost]

TASK [Start] *
ok: [localhost] => {}

MSG:

2020-12-22 15:21:06

TASK [Configure [libdefaults] - Disable RDNS] *
ok: [localhost]

TASK [Template the configuration file] *
changed: [localhost]

PLAY RECAP *
localhost                  : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Finally, back in your inventory for this host or group, you will need the following settings for Kerberos authentication (assuming you use “ansible@SAMPLE.COM” as the user):

ansible_user: "ansible@SAMPLE.COM"
ansible_password: "MyPassword"
ansible_connection: "winrm"
ansible_port: 5985
ansible_winrm_transport: "kerberos"

You find the playbooks and sample inventory for Kerberos authentication in the companion GitHub repository.

I hope this has been helpful to get you started with managing a Microsoft Windows server with Ansible.