Knife-windows: Can't authenticate


#1

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete


#2

Peter,

Maybe you could provide the output to the following command on the host you’re trying to connect to?

winrm get winrm/config/service

I see from the ticket that you’re not able to run it unencrypted, but it might be a good idea to try and make this work first.

-Tim

On Wednesday, August 8, 2012 at 6:43 PM, Peter Loron wrote:

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete


#3

Output below. For now I have enabled Basic auth as well as allowing unencrypted connections.

Thanks.

-Pete

PS C:\Windows\system32> winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint

On Aug 8, 2012, at 3:49 PM, Tim Green wrote:

Peter,

Maybe you could provide the output to the following command on the host you’re trying to connect to?

winrm get winrm/config/service

I see from the ticket that you’re not able to run it unencrypted, but it might be a good idea to try and make this work first.

-Tim

On Wednesday, August 8, 2012 at 6:43 PM, Peter Loron wrote:

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete


#4

I noticed in your knife args (again, going back to KNIFE-25) that you used -p 5986. Did you try changing to 5985 when you tested unencrypted auth settings?

Also, did you try separating the domain\user with domain\user instead? I think if you don’t have ‘\’ as the separator the plugin might use the wrong code path for authentication.

-Tim

On Wednesday, August 8, 2012 at 6:54 PM, Peter Loron wrote:

Output below. For now I have enabled Basic auth as well as allowing unencrypted connections.

Thanks.

-Pete

PS C:\Windows\system32> winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint

On Aug 8, 2012, at 3:49 PM, Tim Green wrote:

Peter,

Maybe you could provide the output to the following command on the host you’re trying to connect to?

winrm get winrm/config/service

I see from the ticket that you’re not able to run it unencrypted, but it might be a good idea to try and make this work first.

-Tim

On Wednesday, August 8, 2012 at 6:43 PM, Peter Loron wrote:

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete


#5

Yeah, I was using 5985 before I got the HTTPS endpoint set up. No difference.

When I put two backslashes in the username, it does not change the outcome. I do see that the output from the knife command shows both backslashes in the “failed to authenticate as” line.

-Pete

On Aug 8, 2012, at 3:59 PM, Tim Green wrote:

I noticed in your knife args (again, going back to KNIFE-25) that you used -p 5986. Did you try changing to 5985 when you tested unencrypted auth settings?

Also, did you try separating the domain\user with domain\user instead? I think if you don’t have ‘\’ as the separator the plugin might use the wrong code path for authentication.

-Tim

On Wednesday, August 8, 2012 at 6:54 PM, Peter Loron wrote:

Output below. For now I have enabled Basic auth as well as allowing unencrypted connections.

Thanks.

-Pete

PS C:\Windows\system32> winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint

On Aug 8, 2012, at 3:49 PM, Tim Green wrote:

Peter,

Maybe you could provide the output to the following command on the host you’re trying to connect to?

winrm get winrm/config/service

I see from the ticket that you’re not able to run it unencrypted, but it might be a good idea to try and make this work first.

-Tim

On Wednesday, August 8, 2012 at 6:43 PM, Peter Loron wrote:

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete


#6

If you haven’t already tried it, why not create a local administrator account and see if you can use the plugin with this?

-Tim

On Wednesday, August 8, 2012 at 7:17 PM, Peter Loron wrote:

Yeah, I was using 5985 before I got the HTTPS endpoint set up. No difference.

When I put two backslashes in the username, it does not change the outcome. I do see that the output from the knife command shows both backslashes in the “failed to authenticate as” line.

-Pete

On Aug 8, 2012, at 3:59 PM, Tim Green wrote:

I noticed in your knife args (again, going back to KNIFE-25) that you used -p 5986. Did you try changing to 5985 when you tested unencrypted auth settings?

Also, did you try separating the domain\user with domain\user instead? I think if you don’t have ‘\’ as the separator the plugin might use the wrong code path for authentication.

-Tim

On Wednesday, August 8, 2012 at 6:54 PM, Peter Loron wrote:

Output below. For now I have enabled Basic auth as well as allowing unencrypted connections.

Thanks.

-Pete

PS C:\Windows\system32> winrm get winrm/config/service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
EnumerationTimeoutms = 60000
MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint

On Aug 8, 2012, at 3:49 PM, Tim Green wrote:

Peter,

Maybe you could provide the output to the following command on the host you’re trying to connect to?

winrm get winrm/config/service

I see from the ticket that you’re not able to run it unencrypted, but it might be a good idea to try and make this work first.

-Tim

On Wednesday, August 8, 2012 at 6:43 PM, Peter Loron wrote:

Hello. I’m working on trying to get some tests completed using chef and the knife-windows plugin. I’m hoping to be able to prove out using chef to replace our deployment tooling as well as doing the usual infrastructure automation. The issue I’m running into is that while I can issue remote commands directly to another Windows machine via winrs, I cannot issue the same command using the knife-windows plugin. There is an existing ticket on this issue, which I have added my comments to:

http://tickets.opscode.com/browse/KNIFE_WINDOWS-25

I’m happy to work with the devs (in person is ok…I’m about 2 blocks from the Opscode office) in getting this solved.

Thanks!

-Pete