Situation:
ansible (managed by AWX) <-winRM-> management host <-ADWS-> Active directory
Currently I use credssp as authentication mechanism between Ansible and the management host, and I can run modules that access the Active Directory just fine (the ADSI and Get-ADUser commands below work and give the correct results).
As I test, I am following .md to enable Kerberos authentication. Everything works fine, I see that kinit is called, and the connection is made with Kerberos.
I had a problem with accessing a share, but that was solved with Get-ADComputer 'managementserver' | Set-ADComputer -PrincipalsAllowedToDelegateToAccount (Get-ADComputer shareserver) (.5)
But I can't access Active Directory when authenticated with Kerberos.
ADSI error:
try {
$ADObject = [ADSI]"LDAP://$OU"
$ADObject.distinguishedname[0] | Out-Null
return
}
catch {
$ADObject | Out-File $inputPath\log.txt -Append
$Error[0] | Format-List * -Force | Out-File $inputPath\log.txt -Append
$Error[0].Exception.Message | Out-File $inputPath\log.txt -Append
$Error[0].StackTrace | Out-File $inputPath\log.txt -Append
}This results in the following failure in Ansible:
The following exception occurred while retrieving member \"distinguishedName\": \"An operations error occurred.\r\n\""And when I actually try to get a user:
$ADUsers = Get-ADUser -SearchBase $baseOU -LDAPFilter '(employeeNumber=*)' -Properties *this results in:
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:28 char:13
+ $allusers = Get-ADUser -SearchBase $OU -SearchScope Subtree -Filter " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 28
Microsoft.ActiveDirectory.Management.ADServerDownException: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. ---> System.ServiceMo
del.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '0
0:01:59.9897144'. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a rece
ive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:59.9897144'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
at System.ServiceModel.Channels.SocketConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.DelegatingConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.NegotiateStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.NegotiateStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
--- End of inner exception stack trace ---
at System.Net.Security.NegotiateStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.NegotiateStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.ActiveDirectory.WebServices.Proxy.Resource.Get(Message request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.InitializeForAutoReconnect[TChannel](Boolean& isAutoReconnecting, TChannel& channel, ChannelFactory`1& chFactory, String endpointName, CommunicationException& commException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)
at Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionInfo()
at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBaseBeginCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()
I assume that the problem is delegation-related but I can't find out what I have to change to get this to work. I already tried to set the computer object of the management server to
Trust this computer for delegation to any service (Kerberos only), and added both domain controllers to the PrincipalsAllowedToDelegateToAccount setting, but that didn't help.
So I'm missing something.
Searching for 'ADWS kerberos multi-hop' and various variations returned zero results.
Anyone who knows what I am obviously missing?
Joost