Knife-Windows and Domain Authentication

Derek_Schultz · July 24, 2012, 6:41pm

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV
DEBUG: Using configuration from /home/chef/.chef/knife.rb
DEBUG: Adding domain.com
DEBUG: :session => :init
DEBUG: :relay_to_servers => dir c:/
DEBUG: :relayed => domain.com
DEBUG: domain.com => :run_command
ERROR: Failed to authenticate to [“domain.com”] as domain\administrator
Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,
Derek

Derek_Schultz · July 24, 2012, 9:28pm

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,
Derek
From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV
DEBUG: Using configuration from /home/chef/.chef/knife.rb
DEBUG: Adding domain.com
DEBUG: :session => :init
DEBUG: :relay_to_servers => dir c:/
DEBUG: :relayed => domain.com
DEBUG: domain.com => :run_command
ERROR: Failed to authenticate to [“domain.com”] as domain\administrator
Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,
Derek

Tim_Green · July 25, 2012, 8:59pm

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service/auth @{Basic="true"}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you've been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome J

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm "domain.com (http://domain.com)" "dir c:/" -m -x 'domain\administrator' -P'****' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com (http://domain.com)

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com (http://domain.com)

DEBUG: domain.com (http://domain.com) => :run_command

ERROR: Failed to authenticate to ["domain.com (http://domain.com)"] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Paul_Morton_BIA · July 25, 2012, 9:02pm

Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com>
Reply-To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted=“true”}
winrm set winrm/config/service/auth @{Basic=“true”}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you’ve been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com http://domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com http://domain.com

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com http://domain.com

DEBUG: domain.com http://domain.com => :run_command

ERROR: Failed to authenticate to [“domain.com http://domain.com”] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Tim_Green · July 25, 2012, 9:04pm

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I'd be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:

Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com (mailto:tgreen@opscode.com)>
Reply-To: "chef@lists.opscode.com (mailto:chef@lists.opscode.com)" <chef@lists.opscode.com (mailto:chef@lists.opscode.com)>
To: "chef@lists.opscode.com (mailto:chef@lists.opscode.com)" <chef@lists.opscode.com (mailto:chef@lists.opscode.com)>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.

Run winrm get winrm/config/service

Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false

Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted="true"}

winrm set winrm/config/service/auth @{Basic="true"}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you've been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome J

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm "domain.com (http://domain.com)" "dir c:/" -m -x 'domain\administrator' -P'****' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com (http://domain.com)

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com (http://domain.com)

DEBUG: domain.com (http://domain.com) => :run_command

ERROR: Failed to authenticate to ["domain.com (http://domain.com)"] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Derek_Schultz · July 26, 2012, 3:01pm

Tim,

Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn’t need to set auth Basic to true as we’re using NTLM.
The question now is, how to get this working w/ UnEncrypted=”false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:
Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=“HOST”;CertificateThumbprint=“XXXXXXXXXX”}
I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.
Cheers,
Derek

From: Tim Green [mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I’d be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:
Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com>
Reply-To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted=“true”}
winrm set winrm/config/service/auth @{Basic=“true”}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you’ve been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com http://domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com http://domain.com

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com http://domain.com

DEBUG: domain.com http://domain.com => :run_command

ERROR: Failed to authenticate to [“domain.com http://domain.com”] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Derek_Schultz · July 26, 2012, 8:08pm

All,

I’ve found the way to switch from allowing unenecrypted traffic to encrypted. First, you must have an SSL cert on the node. Just view the cert and copy the thumbprint hex values, then run the following command to create the listener over HTTPS:

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}

Note: you may need to remove the spaces from the thumbprint string.

Following this, I was able to bootstrap the node by specifying the HTTPS port, 5986:
knife bootstrap windows winrm ‘node1.domain.com’ -r ‘role[webserver]’ -x domain\administrator -P ‘****’ -p 5986

To test communication with the node, again over port 5986:
knife winrm ‘node1.domain.com’ ‘dir’ -m -x domain\administrator -P ‘****’ –p 5986

Going forward, I’ve created a batch script to configure winRM for bootstrapping our Win 2003 servers.

Cheers,
Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.com’
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Tim,

Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn’t need to set auth Basic to true as we’re using NTLM.
The question now is, how to get this working w/ UnEncrypted=”false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:
Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=“HOST”;CertificateThumbprint=“XXXXXXXXXX”}
I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.
Cheers,
Derek

From: Tim Green [mailto:tgreen@opscode.com]mailto:[mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I’d be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:
Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com>
Reply-To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted=“true”}
winrm set winrm/config/service/auth @{Basic=“true”}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you’ve been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com http://domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com http://domain.com

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com http://domain.com

DEBUG: domain.com http://domain.com => :run_command

ERROR: Failed to authenticate to [“domain.com http://domain.com”] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Tim_Green · July 26, 2012, 10:55pm

Awesome work Derek!

This definitely should be added to the Opscode wiki.

-Tim

On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:

All,

I’ve found the way to switch from allowing unenecrypted traffic to encrypted. First, you must have an SSL cert on the node. Just view the cert and copy the thumbprint hex values, then run the following command to create the listener over HTTPS:

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}

Note: you may need to remove the spaces from the thumbprint string.

Following this, I was able to bootstrap the node by specifying the HTTPS port, 5986:

knife bootstrap windows winrm 'node1.domain.com (http://node1.domain.com)' -r 'role[webserver]' -x domain\administrator -P ‘****’ -p 5986

To test communication with the node, again over port 5986:

knife winrm 'node1.domain.com (http://node1.domain.com)' 'dir' -m -x domain\administrator -P ‘****’ –p 5986

Going forward, I’ve created a batch script to configure winRM for bootstrapping our Win 2003 servers.

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.com (mailto:chef@lists.opscode.com)'
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Tim,

Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn't need to set auth Basic to true as we're using NTLM.

The question now is, how to get this working w/ UnEncrypted=”false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:

Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"}

I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.

Cheers,

Derek

From: Tim Green [mailto:tgreen@opscode.com] (mailto:[mailto:tgreen@opscode.com])
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I'd be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:
Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com (mailto:tgreen@opscode.com)>
Reply-To: "chef@lists.opscode.com (mailto:chef@lists.opscode.com)" <chef@lists.opscode.com (mailto:chef@lists.opscode.com)>
To: "chef@lists.opscode.com (mailto:chef@lists.opscode.com)" <chef@lists.opscode.com (mailto:chef@lists.opscode.com)>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:
Login to Windows 2008R2 box.

Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false

Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:
winrm set winrm/config/service @{AllowUnencrypted="true"}

winrm set winrm/config/service/auth @{Basic="true"}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you've been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome J

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm "domain.com (http://domain.com)" "dir c:/" -m -x 'domain\administrator' -P'****' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com (http://domain.com)

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com (http://domain.com)

DEBUG: domain.com (http://domain.com) => :run_command

ERROR: Failed to authenticate to ["domain.com (http://domain.com)"] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Madhurranjan_Mohaan · September 25, 2012, 7:28am

Hi Derek,

Great thread.

I had a question around this. How are you automating creation of
certificates on each VM ? I was wondering if adding the certificate on the
base template was the way to go since I want the exact same user on all the
new VMs.

Ranjan

On Fri, Jul 27, 2012 at 4:25 AM, Tim Green tgreen@opscode.com wrote:

Awesome work Derek!

This definitely should be added to the Opscode wiki.

-Tim

On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:

All,****

I’ve found the way to switch from allowing unenecrypted traffic to
encrypted. First, you must have an SSL cert on the node. Just view the cert
and copy the thumbprint hex values, then run the following command to
create the listener over HTTPS: ****

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}****

Note: you may need to remove the spaces from the thumbprint string.****

Following this, I was able to bootstrap the node by specifying the HTTPS
port, 5986:****

knife bootstrap windows winrm 'node1.domain.com' -r 'role[webserver]' -x
domain\administrator -P ‘’ -p 5986

To test communication with the node, again over port 5986:****

knife winrm 'node1.domain.com' 'dir' -m -x domain\administrator -P
‘’ –p 5986

Going forward, I’ve created a batch script to configure winRM for
bootstrapping our Win 2003 servers. ****

Cheers,****

Derek****

From: Derek Schultz [mailto:dschultz@brinkster.com dschultz@brinkster.com]

Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.com'
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain
Authentication****

Tim,****

Thanks for pointing that out, I updated the ticket as it is working now. I
believe for us it was a combination of Trusted Host (removed all values)
and the AllowUnencrypted set to false. Note that we didn't need to set auth
Basic to true as we're using NTLM.****

The question now is, how to get this working w/ UnEncrypted=”false”, now
that testing is complete. From what I briefly gathered this morning,
perhaps this is the setting: ****

Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"} ****

I’ll be doing further tests to see if encrypted traffic can be allowed. I
might just be overlooking something simple as I’m not keen on Windows. ***
*

Cheers,****

Derek****

From: Tim Green [mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication*

Thanks Paul.****

I should have mentioned that my personal testing was done with a local
account. I'd be willing to bet that the culprit for those who are
struggling to get domain authentication working is just the
AllowUnencrypted = false parameter. ****

Looking forward to hearing feedback from others.****

-Tim****

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:****

Interestingly, If you are using domain authentication, you * should* not
need to enable basic auth. Domain authentication uses NTLM by default. If
domain authentication is not working with basic off, that would be helpful
to know.****

Paul****

*From: *Tim Green tgreen@opscode.com
*Reply-To: *"chef@lists.opscode.com" chef@lists.opscode.com
To: "chef@lists.opscode.com" chef@lists.opscode.com
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek, ****

I just wrestled for this for a little while, and I was able to resolve the
issue by doing the following:****

Login to Windows 2008R2 box.****

Run winrm get winrm/config/service****

Look for the following parameters:****
AllowUnencrypted = false****

Auth****

    Basic = false****
Flip both of these to true. Syntax for winrm is a bit painful, so let
me just give you the commands to run:****

winrm set winrm/config/service @{AllowUnencrypted="true"}****

winrm set winrm/config/service/auth @{Basic="true"}****

Try running knife again, using the same syntax you showed us below.***

AFAIK this should work with both versions of knife-windows that you've
been working with. I tested with 0.5.8. ****

Hope this helps.****

-Tim****

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:****

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem
uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed
the gem and am still experiencing the same issue. Any ideas are welcome J*

Cheers,****

Derek****

From: Derek Schultz [mailto:dschultz@brinkster.com dschultz@brinkster.com]

Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication****

Chefs,****

I’m having some issues with getting Chef to communicate with our Windows
2003 R2 servers. There appears to be an problem with domain auth when
running knife winrm as noted in an open ticket:
http://tickets.opscode.com/browse/KNIFE_WINDOWS-25****

I’ve copied the output of the knife command below. Also, note that I CAN
communicate via WinRM between 2 Windows systems without issue, so that
“should” rule out improper config in WinRM.****

$ knife winrm "domain.com" "dir c:/" -m -x 'domain\administrator'
-P'' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb****

DEBUG: Adding domain.com****

DEBUG: :session => :init****

DEBUG: :relay_to_servers => dir c:/****

DEBUG: :relayed => domain.com****

DEBUG: domain.com => :run_command****

ERROR: Failed to authenticate to ["domain.com"] as domain\administrator***
*

Response: Bad HTTP response returned from server (401).****

Anybody experience this same issue and have a workaround? I wish I could
stick solely to the Linux management, but unfortunately I need to manage
the Windows side as well, thus having to endure much pain throughout the
process. ****

Cheers,****

Derek****

Derek_Schultz · September 25, 2012, 3:25pm

Ranjan,

Thanks, that’s an interesting question. In our environment the certificate we need already exists, and if for some reason it doesn’t exist on the node, I’ve had to manually import it through MMC (not ideal). I was wondering if there was a way for Chef to do the certificate import, but haven’t come up with anything, nor have I had the time to dig into this. Perhaps it can be accomplished via the PowerShell resource? Hopefully some other Chefs out there will have some ideas.

Actually, there appears to be a community cookbook out there that will do this (http://community.opscode.com/cookbooks/helios).

-Derek
From: Madhurranjan Mohaan [mailto:maadhuuranjan.m@gmail.com]
Sent: Tuesday, September 25, 2012 12:29 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: RE: RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Hi Derek,

Great thread.

I had a question around this. How are you automating creation of certificates on each VM ? I was wondering if adding the certificate on the base template was the way to go since I want the exact same user on all the new VMs.

Ranjan

On Fri, Jul 27, 2012 at 4:25 AM, Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com> wrote:
Awesome work Derek!

This definitely should be added to the Opscode wiki.

-Tim

On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:

All,

I’ve found the way to switch from allowing unenecrypted traffic to encrypted. First, you must have an SSL cert on the node. Just view the cert and copy the thumbprint hex values, then run the following command to create the listener over HTTPS:

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}

Note: you may need to remove the spaces from the thumbprint string.

Following this, I was able to bootstrap the node by specifying the HTTPS port, 5986:

knife bootstrap windows winrm ‘node1.domain.com http://node1.domain.com’ -r ‘role[webserver]’ -x domain\administrator -P ‘****’ -p 5986

To test communication with the node, again over port 5986:

knife winrm ‘node1.domain.com http://node1.domain.com’ ‘dir’ -m -x domain\administrator -P ‘****’ -p 5986

Going forward, I’ve created a batch script to configure winRM for bootstrapping our Win 2003 servers.

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.commailto:chef@lists.opscode.com’
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Tim,

Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn’t need to set auth Basic to true as we’re using NTLM.

The question now is, how to get this working w/ UnEncrypted=“false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:

Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=“HOST”;CertificateThumbprint=“XXXXXXXXXX”}

I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.

Cheers,

Derek

From: Tim Green [mailto:tgreen@opscode.com]mailto:[mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I’d be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:

Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com>
Reply-To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false

Auth
```
Basic = false
```
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted=“true”}
winrm set winrm/config/service/auth @{Basic=“true”}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you’ve been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,

Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com http://domain.com” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com http://domain.com

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com http://domain.com

DEBUG: domain.com http://domain.com => :run_command

ERROR: Failed to authenticate to [“domain.com http://domain.com”] as domain\administrator

Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,

Derek

Madhurranjan_Mohaan · September 25, 2012, 5:37pm

Thanks Derek.

I'll try this cookbook out. Seems interesting.

Ranjan.

On Tue, Sep 25, 2012 at 8:55 PM, Derek Schultz dschultz@brinkster.comwrote:

Ranjan,****

Thanks, that’s an interesting question. In our environment the certificate
we need already exists, and if for some reason it doesn’t exist on the
node, I’ve had to manually import it through MMC (not ideal). I was
wondering if there was a way for Chef to do the certificate import, but
haven’t come up with anything, nor have I had the time to dig into this.
Perhaps it can be accomplished via the PowerShell resource? Hopefully some
other Chefs out there will have some ideas.****

Actually, there appears to be a community cookbook out there that will do
this (http://community.opscode.com/cookbooks/helios). **

-Derek****

From: Madhurranjan Mohaan [mailto:maadhuuranjan.m@gmail.com]
Sent: Tuesday, September 25, 2012 12:29 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: RE: RE: Re: Re: Re: RE: Knife-Windows and
Domain Authentication****

Hi Derek,****

Great thread. ****

I had a question around this. How are you automating creation of
certificates on each VM ? I was wondering if adding the certificate on the
base template was the way to go since I want the exact same user on all the
new VMs.****

Ranjan ****

On Fri, Jul 27, 2012 at 4:25 AM, Tim Green tgreen@opscode.com wrote:****

Awesome work Derek! ****

This definitely should be added to the Opscode wiki.****

-Tim****

On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:****

All,****

I’ve found the way to switch from allowing unenecrypted traffic to
encrypted. First, you must have an SSL cert on the node. Just view the cert
and copy the thumbprint hex values, then run the following command to
create the listener over HTTPS: ****

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}****

Note: you may need to remove the spaces from the thumbprint string.****

Following this, I was able to bootstrap the node by specifying the HTTPS
port, 5986:****

knife bootstrap windows winrm 'node1.domain.com' -r 'role[webserver]' -x
domain\administrator -P ‘’ -p 5986

To test communication with the node, again over port 5986:****

knife winrm 'node1.domain.com' 'dir' -m -x domain\administrator -P
‘’ –p 5986

Going forward, I’ve created a batch script to configure winRM for
bootstrapping our Win 2003 servers. ****

Cheers,****

Derek****

From: Derek Schultz [mailto:dschultz@brinkster.com dschultz@brinkster.com]

Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.com'
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain
Authentication****

Tim,****

Thanks for pointing that out, I updated the ticket as it is working now. I
believe for us it was a combination of Trusted Host (removed all values)
and the AllowUnencrypted set to false. Note that we didn't need to set auth
Basic to true as we're using NTLM.****

The question now is, how to get this working w/ UnEncrypted=”false”, now
that testing is complete. From what I briefly gathered this morning,
perhaps this is the setting: ****

Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"} ****

I’ll be doing further tests to see if encrypted traffic can be allowed. I
might just be overlooking something simple as I’m not keen on Windows. ***
*

Cheers,****

Derek****

From: Tim Green [mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication*

Thanks Paul.****

I should have mentioned that my personal testing was done with a local
account. I'd be willing to bet that the culprit for those who are
struggling to get domain authentication working is just the
AllowUnencrypted = false parameter. ****

Looking forward to hearing feedback from others.****

-Tim****

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:****

Interestingly, If you are using domain authentication, you should not
need to enable basic auth. Domain authentication uses NTLM by default. If
domain authentication is not working with basic off, that would be helpful
to know.****

Paul****

*From: *Tim Green tgreen@opscode.com
*Reply-To: *"chef@lists.opscode.com" chef@lists.opscode.com
To: "chef@lists.opscode.com" chef@lists.opscode.com
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek, ****

I just wrestled for this for a little while, and I was able to resolve the
issue by doing the following:****

Login to Windows 2008R2 box.****

Run winrm get winrm/config/service****

Look for the following parameters:****
AllowUnencrypted = false****

Auth****

    Basic = false****
Flip both of these to true. Syntax for winrm is a bit painful, so let
me just give you the commands to run:****

winrm set winrm/config/service @{AllowUnencrypted="true"}****

winrm set winrm/config/service/auth @{Basic="true"}****

Try running knife again, using the same syntax you showed us below.***

AFAIK this should work with both versions of knife-windows that you've
been working with. I tested with 0.5.8. ****

Hope this helps.****

-Tim****

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:****

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem
uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed
the gem and am still experiencing the same issue. Any ideas are welcome J*

Cheers,****

Derek****

From: Derek Schultz [mailto:dschultz@brinkster.com dschultz@brinkster.com]

Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication****

Chefs,****

I’m having some issues with getting Chef to communicate with our Windows
2003 R2 servers. There appears to be an problem with domain auth when
running knife winrm as noted in an open ticket:
http://tickets.opscode.com/browse/KNIFE_WINDOWS-25****

I’ve copied the output of the knife command below. Also, note that I CAN
communicate via WinRM between 2 Windows systems without issue, so that
“should” rule out improper config in WinRM.****

$ knife winrm "domain.com" "dir c:/" -m -x 'domain\administrator'
-P'' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb****

DEBUG: Adding domain.com****

DEBUG: :session => :init****

DEBUG: :relay_to_servers => dir c:/****

DEBUG: :relayed => domain.com****

DEBUG: domain.com => :run_command****

ERROR: Failed to authenticate to ["domain.com"] as domain\administrator***
*

Response: Bad HTTP response returned from server (401).****

Anybody experience this same issue and have a workaround? I wish I could
stick solely to the Linux management, but unfortunately I need to manage
the Windows side as well, thus having to endure much pain throughout the
process. ****

Cheers,****

Derek****

Paul_Morton_BIA · September 25, 2012, 6:03pm

Here is the onliner that veewee uses to import the oracle certificate into the trusted publishers store:

certutil -addstore -f “TrustedPublisher” C:\scripts\oracle.cer

Cheers,

Paul

On Sep 25, 2012, at 10:37 AM, Madhurranjan Mohaan <maadhuuranjan.m@gmail.com mailto:maadhuuranjan.m@gmail.com> wrote:

Thanks Derek.

I’ll try this cookbook out. Seems interesting.

Ranjan.

On Tue, Sep 25, 2012 at 8:55 PM, Derek Schultz <dschultz@brinkster.com mailto:dschultz@brinkster.com> wrote:
Ranjan,

Thanks, that’s an interesting question. In our environment the certificate we need already exists, and if for some reason it doesn’t exist on the node, I’ve had to manually import it through MMC (not ideal). I was wondering if there was a way for Chef to do the certificate import, but haven’t come up with anything, nor have I had the time to dig into this. Perhaps it can be accomplished via the PowerShell resource? Hopefully some other Chefs out there will have some ideas.

Actually, there appears to be a community cookbook out there that will do this (http://community.opscode.com/cookbooks/helios).

-Derek
From: Madhurranjan Mohaan [mailto:maadhuuranjan.m@gmail.com mailto:maadhuuranjan.m@gmail.com]
Sent: Tuesday, September 25, 2012 12:29 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: RE: RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Hi Derek,

Great thread.

I had a question around this. How are you automating creation of certificates on each VM ? I was wondering if adding the certificate on the base template was the way to go since I want the exact same user on all the new VMs.

Ranjan

On Fri, Jul 27, 2012 at 4:25 AM, Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com> wrote:
Awesome work Derek!

This definitely should be added to the Opscode wiki.

-Tim

On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:

All,

I’ve found the way to switch from allowing unenecrypted traffic to encrypted. First, you must have an SSL cert on the node. Just view the cert and copy the thumbprint hex values, then run the following command to create the listener over HTTPS:

winrm create winrm/config/Listener?Address=IP:+Transport=HTTPS @{Hostname="";CertificateThumbprint=""}

Note: you may need to remove the spaces from the thumbprint string.

Following this, I was able to bootstrap the node by specifying the HTTPS port, 5986:
knife bootstrap windows winrm ‘node1.domain.com http://node1.domain.com/’ -r ‘role[webserver]’ -x domain\administrator -P ‘****’ -p 5986

To test communication with the node, again over port 5986:
knife winrm ‘node1.domain.com http://node1.domain.com/’ ‘dir’ -m -x domain\administrator -P ‘****’ –p 5986

Going forward, I’ve created a batch script to configure winRM for bootstrapping our Win 2003 servers.

Cheers,
Derek

From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Thursday, July 26, 2012 8:01 AM
To: 'chef@lists.opscode.commailto:chef@lists.opscode.com’
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Tim,

Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn’t need to set auth Basic to true as we’re using NTLM.
The question now is, how to get this working w/ UnEncrypted=”false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:
Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=“HOST”;CertificateThumbprint=“XXXXXXXXXX”}
I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.
Cheers,
Derek

From: Tim Green [mailto:tgreen@opscode.com]mailto:[mailto:tgreen@opscode.com]
Sent: Wednesday, July 25, 2012 2:04 PM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication

Thanks Paul.

I should have mentioned that my personal testing was done with a local account. I’d be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.

Looking forward to hearing feedback from others.

-Tim

On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:

Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.

Paul

From: Tim Green <tgreen@opscode.com mailto:tgreen@opscode.com>
Reply-To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
To: "chef@lists.opscode.com mailto:chef@lists.opscode.com" <chef@lists.opscode.com mailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Knife-Windows and Domain Authentication

Derek,

I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:

Login to Windows 2008R2 box.
Run winrm get winrm/config/service
Look for the following parameters:

AllowUnencrypted = false
Auth
Basic = false
Flip both of these to true. Syntax for winrm is a bit painful, so let me just give you the commands to run:

winrm set winrm/config/service @{AllowUnencrypted=“true”}
winrm set winrm/config/service/auth @{Basic=“true”}

Try running knife again, using the same syntax you showed us below.

AFAIK this should work with both versions of knife-windows that you’ve been working with. I tested with 0.5.8.

Hope this helps.

-Tim

On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome

Cheers,
Derek
From: Derek Schultz [mailto:dschultz@brinkster.com]
Sent: Tuesday, July 24, 2012 11:41 AM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Knife-Windows and Domain Authentication

Chefs,

I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running knife winrm as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.

$ knife winrm “domain.com http://domain.com/” “dir c:/” -m -x ‘domain\administrator’ -P’****’ -VV
DEBUG: Using configuration from /home/chef/.chef/knife.rb
DEBUG: Adding domain.com http://domain.com/
DEBUG: :session => :init
DEBUG: :relay_to_servers => dir c:/
DEBUG: :relayed => domain.com http://domain.com/
DEBUG: domain.com http://domain.com/ => :run_command
ERROR: Failed to authenticate to [“domain.com http://domain.com/”] as domain\administrator
Response: Bad HTTP response returned from server (401).

Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.

Cheers,
Derek

Topic		Replies	Views
Knife winrm issue when running agains groups of servers Chef Infra (archive)	5	1088	August 9, 2016
How do you run <knife winrm> against attribute based groups Chef Infra (archive)	0	462	August 5, 2016
Can't knife winrm to Windows box? Chef Infra (archive)	7	627	November 13, 2014
Knife winrm browsing network shares Chef Infra (archive)	9	873	June 11, 2013
Knife-windows 1.0.0.rc.0 Chef Infra (archive)	0	313	June 4, 2015

Knife-Windows and Domain Authentication

Related Topics