Inspec with winrm on remote windows server


#1

Hi All,
i have enabled winrm on my both windows servers and trying to run inspec test remotely. but its failing with below error.
can you please help me?

PS E:> inspec exec .\example.rb -t winrm://TestUser@domain --password ‘Test@123’
C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:58:in raise_if_auth_ error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError) from C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:51:inr
aise_if_error’
from C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:36:in `p
arse_to_xml’


#2

Hi @bkeshark,

Could you also try the following way?
inspec exec .\example.rb --backend winrm --user the_user --password the_password --host the_ip_address --sudo

Do you have ChefDK installed on the node where you want to fire the inspec check from? If so could you please try the following command also?
knife wsman test -m the_ip_address


#3

Thanks @simark for your response.

I tried the suggestion given by you and got below output. issue still persist.

E:\cookbooks>knife wsman test -m xx.xx.xx.xx

WARNING: No knife configuration file found
Connected successfully to xx.xx.xx.xx at http://xx.xx.xx.xx:5985/wsman.

E:\cookbooks>inspec exec .\example.rb --backend winrm --user TestUser --password  Test@123 --host xx.xx.xx.xx --sudo
C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:58:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)

#4

Since the knife wsman test worked, the network seems ok.
Could you try to fire the inspec command with the credentials of the remote node’s local administrator account?


#5

Hi @simark, even after adding TestUser on both servers in Administrators group. Still facing the same issue.

C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/r
esponse_handler.rb:58:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (
WinRM::WinRMAuthorizationError)

#6

Are there any special characters in the passwords for the user that requires extra quotes?
For example: https://docs.chef.io/plugin_knife_windows.html#syntax
Could you please try to use the local administrator user for checking authentication?
Also please share the output of the
inspec shell --host your_host --user Administrator --password admin_password --backend winrm
command


#7
E:>inspec shell --host xx.xx.xx.xx --user TestUser --password "Test@123" --backend winrm
Welcome to the interactive InSpec Shell
To find out how to use it, type: ☺☻help☺☻

before_session hook failed: WinRM::WinRMAuthorizationError: WinRM::WinRMAuthoriz
ationError
C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/r
esponse_handler.rb:58:in `raise_if_auth_error'
inspec> y_.hooks.errors to debug)
inspec>
inspec>

#8

You still haven’t tried to authenticate with the Administrator user. Please try that.
Probably your TestUser has no valid permission to operate over WinRM


#9

Thanks @simark. But those servers are managed by Infra vendor and they do not allow Administrator user to be used.


#10

Yes, it’s worked for me.
I used the same command for inspec scan remotely execution.
PS C:> inspec exec .\scan-service.rb --backend winrm --user --password ‘XXXXX’ --host


#11

@bkeshark : What version of Windows do you use? Is your TestUser member of the following groups?

  • Remote Management Users
  • WinRMRemoteWMIUsers__

It seems to me that your user is not configured properly for remote access. There are some good sites which explain some more around the chef eco-system and WinRM written by @Matt_Wrock:

And other userful reading that explain the permissions around WinRM and the SDDLs

Hope this helps


#12

Thanks a lot @simark. This solution worked perfectly.


#13

Very glad to hear you managed to solve the issue @bkeshark .
What was missing? Wrong permission?