Tom, do you have allow_unencrypted and basic_auth set to true? You shouldn’t need the latter unless something is strange, but just to debug, can you see if those are set, and if not, set them and retry?
ls WSMan:\localhost\Service\Auth
Type Name SourceOfValue Value ---- ---- ------------- ----- System.String Basic GPO true System.String Kerberos true System.String Negotiate true System.String Certificate false System.String CredSSP false System.String CbtHardeningLevel Relaxed
-Adam
Hi Adam,
The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a member of the local admin group on the server we’re bootstrapping.
We are able to run this from the admin server: winrs -u:domain\build_chef -p:password -r:10.175.1.21 dir but fails when running this: knife winrm -m 10.175.1.21 -P 'password' -x domain\build_chef dir
CredSSP was disabled, but enabling it in powershell and winrm doesn’t appear to have done anything.
Tensibai – we’ve tried domain\user, domain\\user and (the latter doesn’t pass the domain through, the user appears as ). None of these have worked either.
Thanks Tom
Tom, on which machine are you getting those auth logs? On the DC, or on the server you’re truing to join to the domain?
The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable “allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?
If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell
ls WSMan:\localhost\Service\Auth\CredSSP
If that shows false, try using set-item to set it to true.
Thanks.
-Adam
Hi,
I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:
D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domain\build_chef" --winrm-password="password" Bootstrapping Chef on 10.175.1.21 ERROR: Failed to authenticate to ["10.175.1.21"] as domain\build_chef Response: Bad HTTP response returned from server (401). ERROR: Batch render command returned
On the server I am trying to bootstrap, I get this error in the security logs: Account For Which Logon Failed: Security ID: NULL SID Account Name: Build_Chef Account Domain: BMGUK
Failure Information: Failure Reason: An Error occured during Logon. Status: 0xC000005E Sub Status: 0x0
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?
The user is in the local administrators group so has access to the server.
Thanks Tom
|
Archive powered by MHonArc 2.6.16.