[chef] Re: Re: RE: RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication

Chronological Thread 
  • From: Madhurranjan Mohaan < >
  • To:
  • Subject: [chef] Re: Re: RE: RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication
  • Date: Tue, 25 Sep 2012 12:58:33 +0530

Hi Derek,

Great thread. 

I had a question around this. How are you automating creation of certificates on each VM ? I was wondering if adding the certificate on the base template was the way to go since I want the exact same user on all the new VMs.


On Fri, Jul 27, 2012 at 4:25 AM, Tim Green < " target="_blank"> > wrote:
Awesome work Derek!

This definitely should be added to the Opscode wiki.


On Thursday, July 26, 2012 at 4:08 PM, Derek Schultz wrote:



I’ve found the way to switch from allowing unenecrypted traffic to encrypted. First, you must have an SSL cert on the node. Just view the cert and copy the thumbprint hex values, then run the following command to create the listener over HTTPS:


winrm create winrm/config/Listener?Address=IP:<Enter your IP Address Here>+Transport=HTTPS @{Hostname="<FQDN as it appears in the certifcate>";CertificateThumbprint="<Hexidecimal thumbprint value from the correct certificate>"}


Note: you may need to remove the spaces from the thumbprint string.


Following this, I was able to bootstrap the node by specifying the HTTPS port, 5986:

knife bootstrap windows winrm 'node1.domain.com' -r 'role[webserver]' -x domain\\administrator -P ‘****’ -p 5986


To test communication with the node, again over port 5986:

knife winrm 'node1.domain.com' 'dir' -m -x domain\\administrator -P ‘****’ –p 5986


Going forward, I’ve created a batch script to configure winRM for bootstrapping our Win 2003 servers.  





From: Derek Schultz [ " target="_blank">mailto: ]
Sent: Thursday, July 26, 2012 8:01 AM
To: ' " target="_blank"> '
Subject: [chef] RE: Re: Re: Re: RE: Knife-Windows and Domain Authentication




Thanks for pointing that out, I updated the ticket as it is working now. I believe for us it was a combination of Trusted Host (removed all values) and the AllowUnencrypted set to false. Note that we didn't need to set auth Basic to true as we're using NTLM.

The question now is, how to get this working w/ UnEncrypted=”false”, now that testing is complete. From what I briefly gathered this morning, perhaps this is the setting:

Create instance of HTTPS Listener on all IPs:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOST";CertificateThumbprint="XXXXXXXXXX"}

I’ll be doing further tests to see if encrypted traffic can be allowed. I might just be overlooking something simple as I’m not keen on Windows.




From: Tim Green " target="_blank">[mailto:
Sent: Wednesday, July 25, 2012 2:04 PM
To: " target="_blank">
Subject: [chef] Re: Re: Re: RE: Knife-Windows and Domain Authentication


Thanks Paul.


I should have mentioned that my personal testing was done with a local account.  I'd be willing to bet that the culprit for those who are struggling to get domain authentication working is just the AllowUnencrypted = false parameter.  


Looking forward to hearing feedback from others.





On Wednesday, July 25, 2012 at 5:02 PM, Paul Morton - BIA wrote:

Interestingly, If you are using domain authentication, you should not need to enable basic auth. Domain authentication uses NTLM by default. If domain authentication is not working with basic off, that would be helpful to know.







I just wrestled for this for a little while, and I was able to resolve the issue by doing the following:


1.  Login to Windows 2008R2 box.

2.  Run winrm get winrm/config/service


3.  Look for the following parameters:


    AllowUnencrypted = false


        Basic = false


4.  Flip both of these to true.  Syntax for winrm is a bit painful, so let me just give you the commands to run:


   - winrm set winrm/config/service @{AllowUnencrypted="true"}

   - winrm set winrm/config/service/auth @{Basic="true"}


5.  Try running knife again, using the same syntax you showed us below.


AFAIK this should work with both versions of knife-windows that you've been working with.  I tested with 0.5.8. 


Hope this helps.





On Tuesday, July 24, 2012 at 5:28 PM, Derek Schultz wrote:

By the way, this was with version 0.5.8 of Knife-Windows. I did a gem uninstall, cloned the latest 0.5.10.rc.1 from GitHub, built and installed the gem and am still experiencing the same issue. Any ideas are welcome J




From: Derek Schultz [ " target="_blank">mailto: ]
Sent: Tuesday, July 24, 2012 11:41 AM
To: " target="_blank">
Subject: [chef] Knife-Windows and Domain Authentication




I’m having some issues with getting Chef to communicate with our Windows 2003 R2 servers. There appears to be an problem with domain auth when running `knife winrm` as noted in an open ticket: http://tickets.opscode.com/browse/KNIFE_WINDOWS-25


I’ve copied the output of the knife command below. Also, note that I CAN communicate via WinRM between 2 Windows systems without issue, so that “should” rule out improper config in WinRM.


$ knife winrm "domain.com" "dir c:/" -m -x 'domain\administrator' -P'****' -VV

DEBUG: Using configuration from /home/chef/.chef/knife.rb

DEBUG: Adding domain.com

DEBUG: :session => :init

DEBUG: :relay_to_servers => dir c:/

DEBUG: :relayed => domain.com

DEBUG: domain.com => :run_command

ERROR: Failed to authenticate to ["domain.com"] as domain\administrator

Response: Bad HTTP response returned from server (401).


Anybody experience this same issue and have a workaround? I wish I could stick solely to the Linux management, but unfortunately I need to manage the Windows side as well, thus having to endure much pain throughout the process.






Archive powered by MHonArc 2.6.16.