Configure Windows Hosts
In this article we’ll walk through and configure Ansible so it has both remote access to and administrative rights on our Windows Hosts. We’ll accomplish this by:
- Creating a service account with administrative rights over our Windows hosts.
- Enabling WinRM on our Windows hosts to allow remote access.
- Updating Ansible so Windows hosts are access via WinRM using the service account.
For this article, will be using Kerberos for authentication when connecting to WinRM, however other methods are available.
Service Account
Please see the Administrative Rights article, which both outlines the process of creating a service account and granting it administrative rights over a set of Windows hosts.
WinRM Service
On each of the Windows hosts you’ll be managing via Ansible, enable WinRM:
Enable-PSRemoting -ForceThis can be automated via GPO if preferred.
Kerberos Configuration
realm, you can skip this step.
Open /etc/krb5.conf and update the configuration to match the following. There are two areas you need to modify to match your environment:
/etc/krb5.conf is missing see the Install Ansible section.
- Under
[realms]replaceEXAMPLE.COMwith your organizations domain name. - Still within
[realms]list all domain controllers you’d like ansible to use for authentication. - Add your organizations domain under
[domain_realm].
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = false
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = domaincontroller01.example.com
kdc = domaincontroller02.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
To ensure the configuration is correct and working, request a Kerberos ticket.
# The domain portion must be in capitals.
[ansible@ANSIBLEHOST ~]$ kinit [email protected]
Password for [email protected]:If successful, a ticket will be issued.
[ansible@ANSIBLEHOST ~]$ klist
Ticket cache: KCM:1000
Default principal: [email protected]
Valid starting Expires Service principal
01/04/2022 10:52:10 01/04/2022 10:52:10 krbtgt/[email protected]
renew until 01/08/2022 12:54:15Ansible Configuration
Ansible by default attempts to connect to hosts using the SSH protocol. Since Windows uses WinRM by default, we need to adjust our configuration to prioritize WinRM over SSH.
Working with the environment we setup previously, open the windows_hosts file located under group_vars. Create the file if not already present.
vim /opt/ansible/group_vars/windows_hostsEnter in the following connection details within the file. Ensure you replace the username and password with that of the service account you created earlier.
ansible_user: "[email protected]"
ansible_password: "mysecretpassword"
ansible_port: "5985"
ansible_connection: "winrm"
ansible_winrm_transport: "kerberos"
ansible_winrm_server_cert_validation: ignore
This file tells Ansible to prefer WinRM over SSH and provides the necessary connection details to allow a WinRM connection to suceed.
Testing
If all goes well, you should now be able to successfully connect and run commands on your Windows hosts. Below is an example using the builtin win_ping module. The purpose of this module is to verify connectivity only.
ansible -i production windows_hosts -m win_ping
PLAY [Ansible Ad-Hoc] ******************************************************************
TASK [win_ping] ************************************************************************
ok: [myfirstwindowsbasedhost]
PLAY RECAP *****************************************************************************
myfirstwindowsbasedhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0Congratulations, you’ve successfully configured management of Windows-based hosts using Ansible.