Ansible - Kerberos message encryption to enable WinRM

Kerberos message encryption was just released for pywinrm, and it’s a great time to be alive.

With this, if you don’t have a fully deployed certificate architecture, you can still have encrypted messages flying around while using the WinRM easy-mode of http over tcp/5985. If you’re not using windows 10, just skip the WSL install portion.

If you have any problems, feel free to email me:

Current environment looks like the following:
Windows 10
Windows Subsystem for Linux (WSL) - upgraded to ubuntu 16.04
Python 3.5 / pip3
Domain joined computer, configured krb5.conf

Let’s get started.

Install WSL #

Open Powershell, and run:
lxrun /install


Make sure you’re on ubuntu 16.04:
lsb_release -a

If you’re still on 14.04, be aware of the following:

then upgrade:
sudo do-release-upgrade

FYI: I went the route of the upgrade, and actually had to uninstall “screen” before doing the release-upgrade:
sudo apt-get remove screen && sudo do-release-upgrade

Install packages #

Run the following:
sudo apt-get -y install gcc python-dev python3-dev libffi-dev libssl-dev libkrb5-dev krb5-user python-kerberos python3-kerberos virtualenv python3-venv

Set up virtual environment #

Run the following:
virtualenv -p python3 py3-ansible
cd py3-ansible
source bin/activate
pip3 install ansible
pip3 install pywinrm --upgrade
pip3 install kerberos requests_kerberos
pip3 install pywinrm[kerberos]

Kerberos Configuration - /etc/krb5.conf #

Every configuration is going to be different per environment.

Assume I have multiple domains in my environment:

Assume I have KDCs or primary domain controllers for each:

My config would look something like the following:

  default_realm = CORPORATE.COMPANY.COM
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  v4_instance_resolve = false
  v4_name_convert = {
    host = {
      rcmd = host
      ftp = ftp
    plain = {
      something = something-else
  fcc-mit-ticketflags = true

    kdc =
    default_domain =
    kpasswd_server =
    kdc =
    default_domain =
    kpasswd_server =
    kdc =
    default_domain =
    kpasswd_server =


  krb4_convert = true
  krb4_get_tickets = false

Generate kerberos ticket to authenticate with #

If I wanted to log into a server in, I would use:

If I wanted to log into a server in, I would use:

You can use the klist command to view current kerberos tickets, or kdestroy to get rid of all active tickets:

Configure ansible inventories / groups to utilize winrm with kerberos #

Build out a directory structure:
mkdir -p ansible/inventories/group_vars

Create hosts file:
vim ansible/inventories/hosts


Assign the win-corporate group some variables:
vim ansible/inventories/group_vars/win-corporate.yml

ansible_user: username@CORPORATE.COMPANY.COM
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_scheme: http
ansible_winrm_transport: kerberos

Test Ansible’s connectivity via WinRM #

ansible -i inventories/ -m win_ping

Grab a beer because hopefully, you did it!


Now read this

Splunk Deployment Server: Grab all deployment clients

There are times when you need to know what’s out there. If you’re like me, you have thousands of deployment clients in the environment, and browsing to the GUI interface to see your forwarders just doesn’t cut it. The following can be... Continue →