Inspec with winrm on remote windows server

Hi All,
i have enabled winrm on my both windows servers and trying to run inspec test remotely. but its failing with below error.
can you please help me?

PS E:> inspec exec .\example.rb -t winrm://TestUser@domain --password ‘Test@123’
C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:58:in raise_if_auth_ error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError) from C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:51:inr
aise_if_error’
from C:/opscode/inspec/embedded/lib/ruby/gems/2.3.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:36:in `p
arse_to_xml’

Hi @bkeshark,

Could you also try the following way?
inspec exec .\example.rb --backend winrm --user the_user --password the_password --host the_ip_address --sudo

Do you have ChefDK installed on the node where you want to fire the inspec check from? If so could you please try the following command also?
knife wsman test -m the_ip_address

Thanks @simark for your response.

I tried the suggestion given by you and got below output. issue still persist.

E:\cookbooks>knife wsman test -m xx.xx.xx.xx

WARNING: No knife configuration file found
Connected successfully to xx.xx.xx.xx at http://xx.xx.xx.xx:5985/wsman.

E:\cookbooks>inspec exec .\example.rb --backend winrm --user TestUser --password  Test@123 --host xx.xx.xx.xx --sudo
C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/response_handler.rb:58:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)

Since the knife wsman test worked, the network seems ok.
Could you try to fire the inspec command with the credentials of the remote node’s local administrator account?

Hi @simark, even after adding TestUser on both servers in Administrators group. Still facing the same issue.

C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/r
esponse_handler.rb:58:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (
WinRM::WinRMAuthorizationError)

Are there any special characters in the passwords for the user that requires extra quotes?
For example: https://docs.chef.io/plugin_knife_windows.html#syntax
Could you please try to use the local administrator user for checking authentication?
Also please share the output of the
inspec shell --host your_host --user Administrator --password admin_password --backend winrm
command

E:>inspec shell --host xx.xx.xx.xx --user TestUser --password "Test@123" --backend winrm
Welcome to the interactive InSpec Shell
To find out how to use it, type: ☺☻help☺☻

before_session hook failed: WinRM::WinRMAuthorizationError: WinRM::WinRMAuthoriz
ationError
C:/opscode/chefdk/embedded/lib/ruby/gems/2.4.0/gems/winrm-2.2.3/lib/winrm/http/r
esponse_handler.rb:58:in `raise_if_auth_error'
inspec> y_.hooks.errors to debug)
inspec>
inspec>

You still haven’t tried to authenticate with the Administrator user. Please try that.
Probably your TestUser has no valid permission to operate over WinRM

Thanks @simark. But those servers are managed by Infra vendor and they do not allow Administrator user to be used.

Yes, it’s worked for me.
I used the same command for inspec scan remotely execution.
PS C:> inspec exec .\scan-service.rb --backend winrm --user --password ‘XXXXX’ --host

@bkeshark : What version of Windows do you use? Is your TestUser member of the following groups?

• Remote Management Users
• WinRMRemoteWMIUsers__

It seems to me that your user is not configured properly for remote access. There are some good sites which explain some more around the chef eco-system and WinRM written by @Matt_Wrock:

• Understanding and troubleshooting WinRM connection and authentication
• Safely running Windows automation operations that typically fail over WinRM or PowerShell remoting

And other userful reading that explain the permissions around WinRM and the SDDLs

• Enabling remote WMI and PowerShell access over WinRM for non-administrators

Hope this helps

Thanks a lot @simark. This solution worked perfectly.

Very glad to hear you managed to solve the issue @bkeshark .
What was missing? Wrong permission?

Yes, local user was not added in below groups.

Remote Management Users
WinRMRemoteWMIUsers__

Hi,

I am also facing same issue, tried all steps mentioned above.Only difference is WinRM is running on secure port(5986).

inspec exec test.rb --host 10.X.X.X --user TestUser --password Test@123 --backend winrm --ssl --self-signed
/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/train-1.4.37/lib/train/platforms/detect/helpers/os_windows.rb:102:in `windows_uuid_from_chef': undefined method `zero?' for nil:NilClass (NoMethodError)
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/train-1.4.37/lib/train/platforms/detect/helpers/os_windows.rb:81:in `windows_uuid'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/train-1.4.37/lib/train/platforms/detect/uuid.rb:23:in `find_or_create_uuid'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/train-1.4.37/lib/train/platforms/platform.rb:53:in `uuid'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/train-1.4.37/lib/train/platforms/platform.rb:60:in `[]'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/resources/platform.rb:41:in `[]'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/formatters/base.rb:190:in `platform'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/formatters/base.rb:72:in `stop'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:206:in `block in notify'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:205:in `each'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:205:in `notify'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:199:in `stop'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:172:in `block in finish'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:191:in `close_after'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:171:in `finish'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/reporter.rb:81:in `report'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.7.1/lib/rspec/core/runner.rb:112:in `run_specs'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/runner_rspec.rb:77:in `run'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/runner.rb:132:in `run_tests'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/runner.rb:103:in `run'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/lib/inspec/cli.rb:184:in `exec'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
	from /opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-2.2.112/bin/inspec:12:in `<top (required)>'
	from /bin/inspec:293:in `load'
	from /bin/inspec:293:in `<main>'

I have a question regarding the config/setup in Jenkins of a Inspec exec winrm...
My test works on my local machine when executing the cookbook.
inspec exec cookbook.rb --backend winrm --user 'username' --password 'password' --host 'host1.domain.com'

Does anyone know how I can implement the same process from Jenkins?
Does one need to setup a pipeline job and how do you pass your credentials to connect to the remote host to execute the test?