The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable “allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?
If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell
ls WSMan:\localhost\Service\Auth\CredSSP
If that shows false, try using set-item to set it to true.
Thanks.
-Adam
Hi,
I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:
D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domain\build_chef" --winrm-password="password" Bootstrapping Chef on 10.175.1.21 ERROR: Failed to authenticate to ["10.175.1.21"] as domain\build_chef Response: Bad HTTP response returned from server (401). ERROR: Batch render command returned
On the server I am trying to bootstrap, I get this error in the security logs: Account For Which Logon Failed: Security ID: NULL SID Account Name: Build_Chef Account Domain: BMGUK
Failure Information: Failure Reason: An Error occured during Logon. Status: 0xC000005E Sub Status: 0x0
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?
The user is in the local administrators group so has access to the server.
Thanks Tom
|
Archive powered by MHonArc 2.6.16.