Configure Windows Hosts
In this article, we’ll walk through how to configure Ansible so that it has both remote access to and administrative rights on our Windows hosts. We’ll accomplish this by:
- Creating a service account with administrative rights over our Windows hosts.
- Enabling WinRM on our Windows hosts to allow remote access.
- Updating Ansible so that Windows hosts are accessed via WinRM using the service account.
For this article, will be using Kerberos for authentication when connecting to WinRM, however other methods are available.
Service Account
Please see the Administrative Rights article, which both outlines the process of creating a service account and granting it administrative rights over a set of Windows hosts.
WinRM Service
On each of the Windows hosts you’ll be managing via Ansible, enable WinRM:
Enable-PSRemoting -ForceThis can be automated via GPO if preferred.
Kerberos Configuration
realm, you can skip this step.
Open /etc/krb5.conf and update the configuration to match the following. There are two areas you need to modify to match your environment:
/etc/krb5.conf is missing see the Install Ansible section.
- Under
[realms]replaceEXAMPLE.COMwith your organizations domain name. - Still within
[realms]list all domain controllers you’d like ansible to use for authentication. - Add your organizations domain under
[domain_realm].
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = false
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = domaincontroller01.example.com
kdc = domaincontroller02.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
To ensure the configuration is correct and working, request a Kerberos ticket.
# The domain portion must be in capitals.
[ansible@ANSIBLEHOST ~]$ kinit serviceaccount@EXAMPLE.COM
Password for serviceaccount@EXAMPLE.COM:If successful, a ticket will be issued.
[ansible@ANSIBLEHOST ~]$ klist
Ticket cache: KCM:1000
Default principal: serviceaccount@EXAMPLE.COM
Valid starting Expires Service principal
01/04/2022 10:52:10 01/04/2022 10:52:10 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 01/08/2022 12:54:15Ansible Configuration
By default, Ansible attempts to connect to hosts using the SSH protocol. Since Windows uses WinRM, we need to adjust our configuration to prioritize WinRM over SSH.
Working with the environment we setup previously, open the windows_hosts file located under group_vars. Create the file if not already present.
vim /opt/ansible/group_vars/windows_hostsEnter in the following connection details within the file. Ensure you replace the username and password with that of the service account you created earlier.
ansible_user: "serviceaccount@EXAMPLE.COM"
ansible_password: "mysecretpassword"
ansible_port: "5985"
ansible_connection: "winrm"
ansible_winrm_transport: "kerberos"
ansible_winrm_server_cert_validation: ignore
This file tells Ansible to prefer WinRM over SSH and provides the necessary connection details to allow a WinRM connection to suceed.
Testing
If all goes well, you should now be able to successfully connect and run commands on your Windows hosts. Below is an example using the builtin win_ping module. The purpose of this module is to verify connectivity only.
ansible -i production windows_hosts -m win_ping
PLAY [Ansible Ad-Hoc] ******************************************************************
TASK [win_ping] ************************************************************************
ok: [myfirstwindowsbasedhost]
PLAY RECAP *****************************************************************************
myfirstwindowsbasedhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0Congratulations, you’ve successfully configured management of Windows-based hosts using Ansible.