+

Search Tips   |   Advanced Search

Setting up a Windows Host

This document discusses the setup that is required before Ansible can communicate with a Microsoft Windows host.


Host Requirements

For Ansible to communicate to a Windows host and use Windows modules, the Windows host must meet these requirements:

While these are the base requirements for Ansible connectivity, some Ansible modules have additional requirements, such as a newer OS or PowerShell version. Please consult the module's documentation page to determine whether a host meets those requirements.


Upgrading PowerShell and .NET Framework

Ansible requires PowerShell version 3.0 and .NET Framework 4.0 or newer to function on older operating systems like Server 2008 and Windows 7. The base image does not meet this requirement. You can use the Upgrade-PowerShell.ps1 script to update these.

This is an example of how to run this script from PowerShell:

Once completed, you will need to remove auto logon and set the execution policy back to the default of Restricted. You can do this with the following PowerShell commands:

The script works by checking to see what programs need to be installed (such as .NET Framework 4.5.2) and what PowerShell version is required. If a reboot is required and the username and password parameters are set, the script will automatically reboot and logon when it comes back up from the reboot. The script will continue until no more actions are required and the PowerShell version matches the target version. If the username and password parameters are not set, the script will prompt the user to manually reboot and logon when required. When the user is next logged in, the script will continue where it left off and the process continues until no more actions are required.

If running on Server 2008, then SP2 must be installed. If running on Server 2008 R2 or Windows 7, then SP1 must be installed.

Windows Server 2008 can only install PowerShell 3.0; specifying a newer version will result in the script failing.

The username and password parameters are stored in plain text in the registry. Make sure the cleanup commands are run after the script finishes to ensure no credentials are still stored on the host.


WinRM Memory Hotfix

When running on PowerShell v3.0, there is a bug with the WinRM service that limits the amount of memory available to WinRM. Without this hotfix installed, Ansible will fail to execute certain commands on the Windows host. These hotfixes should be installed as part of the system bootstrapping or imaging process. The script Install-WMF3Hotfix.ps1 can be used to install the hotfix on affected hosts.

The following PowerShell command will install the hotfix:

For more details, please refer to the Hotfix document from Microsoft.


WinRM Setup

Once Powershell has been upgraded to at least version 3.0, the final step is for the WinRM service to be configured so that Ansible can connect to it. There are two main components of the WinRM service that governs how Ansible can interface with the Windows host: the listener and the service configuration settings.

Details about each component can be read below, but the script ConfigureRemotingForAnsible.ps1 can be used to set up the basics. This script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.

To use this script, run the following in PowerShell:

There are different switches and parameters (like -EnableCredSSP and -ForceNewSSLCert) that can be set alongside this script. The documentation for these options are located at the top of the script itself.

The ConfigureRemotingForAnsible.ps1 script is intended for training and development purposes only and should not be used in a production environment, since it enables settings (like Basic authentication) that can be inherently insecure.


WinRM Listener

The WinRM services listens for requests on one or more ports. Each of these ports must have a listener created and configured.

To view the current listeners that are running on the WinRM service, run the following command:

This will output something like:

In the example above there are two listeners activated; one is listening on port 5985 over HTTP and the other is listening on port 5986 over HTTPS. Some of the key options that are useful to understand are:

Setup WinRM Listener

There are three ways to set up a WinRM listener:

When creating an HTTPS listener, an existing certificate needs to be created and stored in the LocalMachine\My certificate store. Without a certificate being present in this store, most commands will fail.

Delete WinRM Listener

To remove a WinRM listener:

The Keys object is an array of strings, so it can contain different values. By default it contains a key for Transport= and Address= which correspond to the values from winrm enumerate winrm/config/Listeners.


WinRM Service Options

There are a number of options that can be set to control the behavior of the WinRM service component, including authentication options and memory settings.

To get an output of the current service configuration options, run the following command:

This will output something like:

While many of these options should rarely be changed, a few can impact the operations over WinRM and are useful to understand. Some of the important options are:

To modify a setting under the Service key in PowerShell:

To modify a setting under the Winrs key in PowerShell:

If running in a domain environment, some of these options are set by GPO and cannot be changed on the host itself. When a key has been configured with GPO, it contains the text [Source="GPO"] next to the value.


Common WinRM Issues

Because WinRM has a wide range of configuration options, it can be difficult to setup and configure. Because of this complexity, issues that are shown by Ansible could in fact be issues with the host setup instead.

One easy way to determine whether a problem is a host issue is to run the following command from another Windows host to connect to the target Windows host:

If this fails, the issue is probably related to the WinRM setup. If it works, the issue may not be related to the WinRM setup; please continue reading for more troubleshooting suggestions.

HTTP 401/Credentials Rejected

A HTTP 401 error indicates the authentication process failed during the initial connection. Some things to check for this are:

HTTP 500 Error

These indicate an error has occurred with the WinRM service. Some things to check for include:

Timeout Errors

These usually indicate an error with the network connection where Ansible is unable to reach the host. Some things to check for include:

Connection Refused Errors

These usually indicate an error when trying to communicate with the WinRM service on the host. Some things to check for:

Sometimes an installer may restart the WinRM or HTTP service and cause this error. The best way to deal with this is to use win_psexec from another Windows host.

Failure to Load Builtin Modules

If powershell fails with an error message similar to The 'Out-String' command was found in the module 'Microsoft.PowerShell.Utility', but the module could not be loaded. then there could be a problem trying to access all the paths specified by the PSModulePath environment variable. A common cause of this issue is that the PSModulePath environment variable contains a UNC path to a file share and because of the double hop/credential delegation issue the Ansible process cannot access these folders. The way around this problems is to either:

See KB4076842 for more information on this problem.


Windows SSH Setup

Ansible 2.8 has added an experimental SSH connection for Windows managed nodes.

Warning

Use this feature at your own risk! Using SSH with Windows is experimental, the implementation may make backwards incompatible changes in feature releases. The server side components can be unreliable depending on the version that is installed.


Installing Win32-OpenSSH

The first step to using SSH with Windows is to install the Win32-OpenSSH service on the Windows host. Microsoft offers a way to install Win32-OpenSSH through a Windows capability but currently the version that is installed through this process is too old to work with Ansible. To install Win32-OpenSSH for use with Ansible, select one of these three installation options:

Win32-OpenSSH is still a beta product and is constantly being updated to include new features and bugfixes. If you are using SSH as a connection option for Windows, it is highly recommend you install the latest release from one of the 3 methods above.


Configuring the Win32-OpenSSH shell

By default Win32-OpenSSH will use cmd.exe as a shell. To configure a different shell, use an Ansible task to define the registry setting:


Win32-OpenSSH Authentication

Win32-OpenSSH authentication with Windows is similar to SSH authentication on Unix/Linux hosts. You can use a plaintext password or SSH public key authentication, add public keys to an authorized_key file in the .ssh folder of the user's profile directory, and configure the service using the sshd_config file used by the SSH service as you would on a Unix/Linux host.

When using SSH key authentication with Ansible, the remote session won't have access to the user's credentials and will fail when attempting to access a network resource. This is also known as the double-hop or credential delegation issue. There are two ways to work around this issue:


Configuring Ansible for SSH on Windows

To configure Ansible to use SSH for Windows hosts, you must set two connection variables:

The ansible_shell_type variable should reflect the DefaultShell configured on the Windows host. Set to cmd for the default shell or set to powershell if the DefaultShell has been changed to PowerShell.


Known issues with SSH on Windows

Using SSH with Windows is experimental, and we expect to uncover more issues. Here are the known ones:


See also

Intro to playbooks

An introduction to playbooks

Tips and tricks

Tips and tricks for playbooks

List of Windows Modules

Windows specific module list, all implemented in PowerShell

User Mailing List

Have a question? Stop by the google group!

irc.freenode.net

#ansible IRC chat channel

Next Previous