Skip to content

Ansible for Windows – Troubleshooting

Avatar photo

https://www.linkedin.com/in/gineesh/ https://twitter.com/GiniGangadharan

Managing Windows machines using Ansible is pretty straightforward and simple as in the document. You need to configure and enable WinRM on your Windows machine and then open WinRM ports 5985 and 5986(HTTPS) in the Windows Firewall (and also in the network firewall if any).

See other articles to learn how to manage windows using Ansible

But there are many cases where Ansible developers and users struggled to connect Windows machine from Ansible and I thought to publish common mistakes or errors and quick fixes for those issues.

Note: This is a living document and I will update this article whenever I find new issues or fixes related to the topic.

I have enabled WinRM and Firewall, how to verify ?

Simply check the port access using nc or any other available tools on your Ansible machine.

$ nc -vz 192.168.99.103 5985 
Connection to 192.168.99.103 port 5985 [tcp/wsman] succeeded !

I am facing Python Multiprocessing error while executing Ansible command

I am getting below error while executing ansible command.

$ ansible win2016 -m win_ping
objc[72452]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[72452]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.

Fix: This error occurs because of added security to restrict multithreading in macOS High Sierra and later versions of macOS.

$ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES

You can export this via zsh or bash profile permanently.

WinRM issue with Unencrypted User Account

$ ansible win2016 -m win_ping
win2016 | UNREACHABLE! => {
    "changed": false,
    "msg": "basic: the specified credentials were rejected by the server",
    "unreachable": true
}

Fix: Enable basic authentication and unencrypted data on the WinRM service

Please note, if you are using HTTPS authentication, you should not enable this configurations.

1. Enable basic authentication on the WinRM service

PS > winrm set winrm/config/service/auth '@{Basic="true"}'
Auth
    Basic = true
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Relaxed

2. Also allow transfer of unencrypted data on the WinRM service.

PS >  winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = true
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

You can check status using winrm get winrm/config/service.

References

Disclaimer:

The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Avatar photo


https://www.linkedin.com/in/gineesh/ https://twitter.com/GiniGangadharan
Gineesh Madapparambath is the founder of techbeatly and he is the co-author of The Kubernetes Bible, Second Edition. and the author of 𝗔𝗻𝘀𝗶𝗯𝗹𝗲 𝗳𝗼𝗿 𝗥𝗲𝗮𝗹-𝗟𝗶𝗳𝗲 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻. He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (aka Gini Gangadharan - iamgini.com)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.