Kerberos & Channel Binding Token (CBT).

[romanponomarev]

Hi,

after enable Channel Binding Token with domain policy (CbtHardeningLevel = Strict)

PS C:\windows\system32> winrm get winrm/config/service/auth
Auth
    Basic = false [Source="GPO"]
    Kerberos = true
    Negotiate = true
    Certificate = false
    CredSSP = false
    CbtHardeningLevel = Strict [Source="GPO"]

I get error

<server-name.example.com> WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "build/bdist.linux-x86_64/egg/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "build/bdist.linux-x86_64/egg/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "build/bdist.linux-x86_64/egg/winrm/transport.py", line 179, in send_message
raise InvalidCredentialsError("the specified credentials were rejected by the server")
InvalidCredentialsError: the specified credentials were rejected by the server

server-name.example.com | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: the specified credentials were rejected by the server",
"unreachable": true
}

ansible (2.2.1.0), pywinrm (0.2.1), pykerberos (1.1.13), requests-kerberos (0.10.0) are installed in to ansible linux host.

Ansible connections parameters:

ansible_port: 5986
ansible_connection: winrm
ansible_winrm_service: https
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: kerberos

Unfortunately we can't use NTLM instead of Kerberos because of internal security requirements.

How can I resolve this problem, using Kerberos authorisation only ?

[MaksimEfimov]

Have the same trouble.

[dragichv]

Did not find the right answer! I have the same problem

[jborean93]

I haven't fully tested this but it will probably require a change in pykerberos and requests-kerberos library to handle this as it isn't a WinRM but rather an auth mechanism which isn't under the scope of Pywinrm. I had to go through this process for NTLM as the original libraries didn't support this and it required a change for it to do so. Feel free to raise some PRs to get this through as it would be a worthwhile addition to have, I know my organisation has CBT set to strict and we just went the NTLMv2 route.

[jborean93]

I just created 2 PRs that are designed to add in support for CBT and Kerberos where requests-kerberos is dependent on the pykerberos change.
requests/requests-kerberos#92
02strich/pykerberos#27

I'm fairly new to C so the pykerberos changes will probably go through a few iterations before a hopeful merge. In the end you can install these separately and try them out but I would expect them to change at some point.

The last time I did this for NTLM CBT it took 3 months to get it all through but I am hoping it will be quicker this time round.

@nitzmahone if you have any connections or even tips on speeding up these PRs it would be greatly appreciated.

[jborean93]

pywinrm v0.3.0 and the required downstream libraries has just been released which adds supports for CBT with kerberos https://github.com/diyan/pywinrm/releases/tag/v0.3.0.