Chef and Windows Active directory

Hi,

I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user=“domain\build_chef” --winrm-password="password"
Bootstrapping Chef on 10.175.1.21
ERROR: Failed to authenticate to [“10.175.1.21”] as domain\build_chef
Response: Bad HTTP response returned from server (401).
ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security logs:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Build_Chef
Account Domain: BMGUK

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks
Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer Media
Group the largest consumer publisher in the UK, and second largest commercial
radio broadcaster. BCS provides financial services and manages and develops IT
systems on which our UK publishing, broadcast, digital and partner businesses depend.

The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised. If you are not the intended
recipient of this message any disclosure, copying, distribution or any action
taken in reliance on it is prohibited and may be unlawful. HBVB do not warrant that
any attachments are free from viruses or other defects and accept no liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

Le 2014-04-09 17:10, Deprez, Tom a écrit :

Hi,

I've been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we're now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

D:chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domainbuild_chef" --winrm-password="password"

Bootstrapping Chef on 10.175.1.21

ERROR: Failed to authenticate to ["10.175.1.21"] as domainbuild_chef

Response: Bad HTTP response returned from server (401).

ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security logs:

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: Build_Chef

Account Domain: BMGUK

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xC000005E

Sub Status: 0x0

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

NtLmSsp is the auth service under windows, it doen't really tell if it
is authenticating with kerberos or NTLM scheme.

Try using user@domain.fully.qualified.name or escape the backslah to
avoid escaping the B of Build_chef: domain\Build_hef.

If the domainBuild_chef is only a mail typo, try the @ form for the
username which should works.

Regards,

Tensibai

Tom, on which machine are you getting those auth logs? On the DC, or on the
server you’re truing to join to the domain?

The first thing to check is if you can issue commands via knife winrm, so
rather than a bootstrap, can you issue a simple command like “echo” on the
system? If not, then you probably need to enable “allow unencrypted” on
your winrm listener on the remote system. To confirm one thing though: is
the machine already joined to the domain and that domain user a member of
the local admins group?

If that is working, then it sounds like the credentials aren’t making it
off the system when talking to the DC. In that case, enabling CredSSP is
required, e.g. in powershell

ls WSMan:\localhost\Service\Auth\CredSSP

If that shows false, try using set-item to set it to true.

Thanks.

-Adam

From: Deprez, Tom [mailto:tom.deprez@bauerservices.co.uk]
Sent: Wednesday, April 9, 2014 8:10 AM
To: chef@lists.opscode.com
Subject: [chef] Chef and Windows Active directory

Hi,

I’ve been bootstrapping Windows servers in a lab environment using local
admin accounts and this has worked fine (bootstrap command is run from a
Windows server). However, we’re now trying to integrate this into
production and would like to use an AD account when bootstrapping the
server. This is failing with the following error:

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21
–winrm-user=“domain\build_chef” --winrm-password=“password”

Bootstrapping Chef on 10.175.1.21

ERROR: Failed to authenticate to [“10.175.1.21”] as domain\build_chef

Response: Bad HTTP response returned from server (401).

ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security
logs:

Account For Which Logon Failed:

            Security ID:                           NULL SID

            Account Name:                    Build_Chef

            Account Domain:                 BMGUK

Failure Information:

            Failure Reason:                    An Error occured during

Logon.

            Status:                                    0xC000005E

            Sub Status:                            0x0

Detailed Authentication Information:

            Logon Process:                     NtLmSsp

            Authentication Package:    NTLM

            Transited Services:              -

            Package Name (NTLM only):              -

            Key Length:                           0

Any ideas on why this is failing? And why is it trying to use NTLM rather
than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks

Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer
Media
Group the largest consumer publisher in the UK, and second largest
commercial
radio broadcaster. BCS provides financial services and manages and develops
IT
systems on which our UK publishing, broadcast, digital and partner
businesses depend.

The information in this email is intended only for the addressee(s) named
above.
Access to this email by anyone else is unauthorised. If you are not the
intended
recipient of this message any disclosure, copying, distribution or any
action
taken in reliance on it is prohibited and may be unlawful. HBVB do not
warrant that
any attachments are free from viruses or other defects and accept no
liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the
originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

Hi Adam,

The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a member of the local admin group on the server we’re bootstrapping.

We are able to run this from the admin server:
winrs -u:domain\build_chef -p:password -r:10.175.1.21 dir
but fails when running this:
knife winrm -m 10.175.1.21 -P ‘password’ -x domain\build_chef dir

CredSSP was disabled, but enabling it in powershell and winrm doesn’t appear to have done anything.

Tensibai - we’ve tried domain\user, domain\user and user@domain (the latter doesn’t pass the domain through, the user appears as user@domain). None of these have worked either.

Thanks
Tom

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: 09 April 2014 16:48
To: chef@lists.opscode.com
Subject: [chef] RE: Chef and Windows Active directory

Tom, on which machine are you getting those auth logs? On the DC, or on the server you’re truing to join to the domain?

The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable “allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?

If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell

ls WSMan:\localhost\Service\Auth\CredSSP

If that shows false, try using set-item to set it to true.

Thanks.

-Adam

From: Deprez, Tom [mailto:tom.deprez@bauerservices.co.ukmailto:tom.deprez@bauerservices.co.uk]
Sent: Wednesday, April 9, 2014 8:10 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Chef and Windows Active directory

Hi,

I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user=“domain\build_chef” --winrm-password="password"
Bootstrapping Chef on 10.175.1.21
ERROR: Failed to authenticate to [“10.175.1.21”] as domain\build_chef
Response: Bad HTTP response returned from server (401).
ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security logs:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Build_Chef
Account Domain: BMGUK

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks
Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer Media
Group the largest consumer publisher in the UK, and second largest commercial
radio broadcaster. BCS provides financial services and manages and develops IT
systems on which our UK publishing, broadcast, digital and partner businesses depend.

The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised. If you are not the intended
recipient of this message any disclosure, copying, distribution or any action
taken in reliance on it is prohibited and may be unlawful. HBVB do not warrant that
any attachments are free from viruses or other defects and accept no liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

Tom, do you have allow_unencrypted and basic_auth set to true? You
shouldn’t need the latter unless something is strange, but just to debug,
can you see if those are set, and if not, set them and retry?

ls WSMan:\localhost\Service\Auth

Type Name SourceOfValue Value

System.String Basic GPO true

System.String Kerberos true

System.String Negotiate true

System.String Certificate false

System.String CredSSP false

System.String CbtHardeningLevel Relaxed

-Adam

From: Deprez, Tom [mailto:tom.deprez@bauerservices.co.uk]
Sent: Wednesday, April 9, 2014 9:10 AM
To: adamed@getchef.com; chef@lists.opscode.com
Subject: RE: [chef] RE: Chef and Windows Active directory

Hi Adam,

The auth logs are from the server we are trying to bootstrap. This server
is already on the domain and we can log in to it using domain accounts. The
chef user is a domain account which is a member of the local admin group on
the server we’re bootstrapping.

We are able to run this from the admin server:

winrs -u:domain\build_chef -p:password -r:10.175.1.21 dir

but fails when running this:

knife winrm -m 10.175.1.21 -P ‘password’ -x domain\build_chef dir

CredSSP was disabled, but enabling it in powershell and winrm doesn’t
appear to have done anything.

Tensibai - we’ve tried domain\user, domain\user and user@domain (the
latter doesn’t pass the domain through, the user appears as user@domain).
None of these have worked either.

Thanks

Tom

From: Adam Edwards [mailto:adamed@getchef.com adamed@getchef.com]
Sent: 09 April 2014 16:48
To: chef@lists.opscode.com
Subject: [chef] RE: Chef and Windows Active directory

Tom, on which machine are you getting those auth logs? On the DC, or on the
server you’re truing to join to the domain?

The first thing to check is if you can issue commands via knife winrm, so
rather than a bootstrap, can you issue a simple command like “echo” on the
system? If not, then you probably need to enable “allow unencrypted” on
your winrm listener on the remote system. To confirm one thing though: is
the machine already joined to the domain and that domain user a member of
the local admins group?

If that is working, then it sounds like the credentials aren’t making it
off the system when talking to the DC. In that case, enabling CredSSP is
required, e.g. in powershell

ls WSMan:\localhost\Service\Auth\CredSSP

If that shows false, try using set-item to set it to true.

Thanks.

-Adam

From: Deprez, Tom [mailto:tom.deprez@bauerservices.co.uk]
Sent: Wednesday, April 9, 2014 8:10 AM
To: chef@lists.opscode.com
Subject: [chef] Chef and Windows Active directory

Hi,

I’ve been bootstrapping Windows servers in a lab environment using local
admin accounts and this has worked fine (bootstrap command is run from a
Windows server). However, we’re now trying to integrate this into
production and would like to use an AD account when bootstrapping the
server. This is failing with the following error:

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21
–winrm-user=“domain\build_chef” --winrm-password=“password”

Bootstrapping Chef on 10.175.1.21

ERROR: Failed to authenticate to [“10.175.1.21”] as domain\build_chef

Response: Bad HTTP response returned from server (401).

ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security
logs:

Account For Which Logon Failed:

            Security ID:                           NULL SID

            Account Name:                    Build_Chef

            Account Domain:                 BMGUK

Failure Information:

            Failure Reason:                    An Error occured during

Logon.

            Status:                                    0xC000005E

            Sub Status:                            0x0

Detailed Authentication Information:

            Logon Process:                     NtLmSsp

            Authentication Package:    NTLM

            Transited Services:              -

            Package Name (NTLM only):              -

            Key Length:                           0

Any ideas on why this is failing? And why is it trying to use NTLM rather
than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks

Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer
Media
Group the largest consumer publisher in the UK, and second largest
commercial
radio broadcaster. BCS provides financial services and manages and develops
IT
systems on which our UK publishing, broadcast, digital and partner
businesses depend.

The information in this email is intended only for the addressee(s) named
above.
Access to this email by anyone else is unauthorised. If you are not the
intended
recipient of this message any disclosure, copying, distribution or any
action
taken in reliance on it is prohibited and may be unlawful. HBVB do not
warrant that
any attachments are free from viruses or other defects and accept no
liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the
originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

Could you paste the result of winrm get winrm/config from the target
server ?

I would suspect the allow unencrypted parameter as Adam says before.

Hope you'll find, debuging winrm is a high PITA, but its really nice
once it works

P.S: Just to be sure, in the form user@domain, domain is the fully
qualified domain name right ?

Le 2014-04-09 18:10, Deprez, Tom a écrit :

Hi Adam,

The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a member of the local admin group on the server we're bootstrapping.

We are able to run this from the admin server:

winrs -u:domainbuild_chef -p:password -r:10.175.1.21 dir

but fails when running this:

knife winrm -m 10.175.1.21 -P 'password' -x domainbuild_chef dir

CredSSP was disabled, but enabling it in powershell and winrm doesn't appear to have done anything.

Tensibai - we've tried domainuser, domain\user and user@domain (the latter doesn't pass the domain through, the user appears as user@domain). None of these have worked either.

Thanks

Tom

FROM: Adam Edwards [mailto:adamed@getchef.com]
SENT: 09 April 2014 16:48
TO: chef@lists.opscode.com
SUBJECT: [chef] RE: Chef and Windows Active directory

Tom, on which machine are you getting those auth logs? On the DC, or on the server you're truing to join to the domain?

The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like "echo" on the system? If not, then you probably need to enable "allow unencrypted" on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?

If that is working, then it sounds like the credentials aren't making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell

ls WSMan:localhostServiceAuthCredSSP

If that shows false, try using set-item to set it to true.

Thanks.

-Adam

FROM: Deprez, Tom [mailto:tom.deprez@bauerservices.co.uk]
SENT: Wednesday, April 9, 2014 8:10 AM
TO: chef@lists.opscode.com
SUBJECT: [chef] Chef and Windows Active directory

Hi,

I've been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we're now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

D:chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domainbuild_chef" --winrm-password="password"

Bootstrapping Chef on 10.175.1.21

ERROR: Failed to authenticate to ["10.175.1.21"] as domainbuild_chef

Response: Bad HTTP response returned from server (401).

ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security logs:

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: Build_Chef

Account Domain: BMGUK

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xC000005E

Sub Status: 0x0

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks

Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer Media
Group the largest consumer publisher in the UK, and second largest commercial
radio broadcaster. BCS provides financial services and manages and develops IT
systems on which our UK publishing, broadcast, digital and partner businesses depend.

The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised. If you are not the intended
recipient of this message any disclosure, copying, distribution or any action
taken in reliance on it is prohibited and may be unlawful. HBVB do not warrant that
any attachments are free from viruses or other defects and accept no liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

Hi,

Both AllowUnencrypted and basic_auth are set to true.

Winrm commands will work, it’s when using knife this seems to break. So I’m not really sure which of these we should be troubleshooting.

When using user@domain, it’s actually user@domain.groupmailto:user@domain.group we use, so yeah, it’s fully qualified.

Thanks
Tom

Results below:
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth

Type Name SourceOfValue Value

System.String Basic true
System.String Kerberos true
System.String Negotiate true
System.String Certificate false
System.String CredSSP true
System.String CbtHardeningLevel Relaxed

winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 1800000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30

From: Tensibai [mailto:tensibai@iabis.net]
Sent: 09 April 2014 17:26
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: Chef and Windows Active directory

Could you paste the result of winrm get winrm/config from the target server ?

I would suspect the allow unencrypted parameter as Adam says before.

Hope you’ll find, debuging winrm is a high PITA, but its really nice once it works

P.S: Just to be sure, in the form user@domain, domain is the fully qualified domain name right ?

Le 2014-04-09 18:10, Deprez, Tom a écrit :
Hi Adam,

The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a member of the local admin group on the server we’re bootstrapping.

We are able to run this from the admin server:
winrs -u:domain\build_chef -p:password -r:10.175.1.21 dir
but fails when running this:
knife winrm -m 10.175.1.21 -P ‘password’ -x domain\build_chef dir

CredSSP was disabled, but enabling it in powershell and winrm doesn’t appear to have done anything.

Tensibai – we’ve tried domain\user, domain\user and user@domain (the latter doesn’t pass the domain through, the user appears as user@domain). None of these have worked either.

Thanks
Tom

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: 09 April 2014 16:48
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Chef and Windows Active directory

Tom, on which machine are you getting those auth logs? On the DC, or on the server you’re truing to join to the domain?

The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable “allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?

If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell

ls WSMan:\localhost\Service\Auth\CredSSP

If that shows false, try using set-item to set it to true.

Thanks.

-Adam

From: Deprez, Tom [mailto:tom.deprez@bauerservices.co.ukmailto:tom.deprez@bauerservices.co.uk]
Sent: Wednesday, April 9, 2014 8:10 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Chef and Windows Active directory

Hi,

I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user=“domain\build_chef” --winrm-password="password"
Bootstrapping Chef on 10.175.1.21
ERROR: Failed to authenticate to [“10.175.1.21”] as domain\build_chef
Response: Bad HTTP response returned from server (401).
ERROR: Batch render command returned

On the server I am trying to bootstrap, I get this error in the security logs:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Build_Chef
Account Domain: BMGUK

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

The user is in the local administrators group so has access to the server.

Thanks
Tom

HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer Media
Group the largest consumer publisher in the UK, and second largest commercial
radio broadcaster. BCS provides financial services and manages and develops IT
systems on which our UK publishing, broadcast, digital and partner businesses depend.

The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised. If you are not the intended
recipient of this message any disclosure, copying, distribution or any action
taken in reliance on it is prohibited and may be unlawful. HBVB do not warrant that
any attachments are free from viruses or other defects and accept no liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545