|
Hi Adam, The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a
member of the local admin group on the server we’re bootstrapping. We are able to run this from the admin server: winrs -u:domain\build_chef -p:password -r:10.175.1.21 dir but fails when running this: knife winrm -m 10.175.1.21 -P 'password' -x domain\build_chef dir CredSSP was disabled, but enabling it in powershell and winrm doesn’t appear to have done anything. Tensibai – we’ve tried domain\user, domain\\user and
(the latter doesn’t pass the domain through, the user appears as
). None of these have worked either. Thanks Tom From: Adam Edwards [mailto:
The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable
“allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group? If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell ls WSMan:\localhost\Service\Auth\CredSSP If that shows false, try using set-item to set it to true. Thanks. -Adam Hi, I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to
integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error: D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domain\build_chef" --winrm-password="password" Bootstrapping Chef on 10.175.1.21 ERROR: Failed to authenticate to ["10.175.1.21"] as domain\build_chef Response: Bad HTTP response returned from server (401). ERROR: Batch render command returned On the server I am trying to bootstrap, I get this error in the security logs: Account For Which Logon Failed: Security ID: NULL SID Account Name: Build_Chef Account Domain: BMGUK Failure Information: Failure Reason: An Error occured during Logon. Status: 0xC000005E Sub Status: 0x0 Detailed Authentication Information: Logon Process: NtLmSsp
Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos? The user is in the local administrators group so has access to the server. Thanks Tom
|
Archive powered by MHonArc 2.6.16.