Ansible - Kerberos message encryption to enable WinRM

Kerberos message encryption was just released for pywinrm, and it’s a great time to be alive.

With this, if you don’t have a fully deployed certificate architecture, you can still have encrypted messages flying around while using the WinRM easy-mode of http over tcp/5985. If you’re not using windows 10, just skip the WSL install portion.

If you have any problems, feel free to email me:

Current environment looks like the following:
Windows 10
Windows Subsystem for Linux (WSL) - upgraded to ubuntu 16.04
Python 3.5 / pip3
Domain joined computer, configured krb5.conf

Let’s get started.

Install WSL #

Open Powershell, and run:
lxrun /install


Make sure you’re on ubuntu 16.04:
lsb_release -a

If you’re still on 14.04, be aware of the following:

then upgrade:
sudo do-release-upgrade

FYI: I went the route of the upgrade, and actually had to uninstall “screen” before doing the release-upgrade:
sudo apt-get remove screen && sudo do-release-upgrade

Install packages #

Run the following:
sudo apt-get -y install gcc python-dev python3-dev libffi-dev libssl-dev libkrb5-dev krb5-user python-kerberos python3-kerberos virtualenv python3-venv

Set up virtual environment #

Run the following:
virtualenv -p python3 py3-ansible
cd py3-ansible
source bin/activate
pip3 install ansible
pip3 install pywinrm --upgrade
pip3 install kerberos requests_kerberos
pip3 install pywinrm[kerberos]

Kerberos Configuration - /etc/krb5.conf #

Every configuration is going to be different per environment.

Assume I have multiple domains in my environment:

Assume I have KDCs or primary domain controllers for each:

My config would look something like the following:

  default_realm = CORPORATE.COMPANY.COM
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  v4_instance_resolve = false
  v4_name_convert = {
    host = {
      rcmd = host
      ftp = ftp
    plain = {
      something = something-else
  fcc-mit-ticketflags = true

    kdc =
    default_domain =
    kpasswd_server =
    kdc =
    default_domain =
    kpasswd_server =
    kdc =
    default_domain =
    kpasswd_server =


  krb4_convert = true
  krb4_get_tickets = false

Generate kerberos ticket to authenticate with #

If I wanted to log into a server in, I would use:

If I wanted to log into a server in, I would use:

You can use the klist command to view current kerberos tickets, or kdestroy to get rid of all active tickets:

Configure ansible inventories / groups to utilize winrm with kerberos #

Build out a directory structure:
mkdir -p ansible/inventories/group_vars

Create hosts file:
vim ansible/inventories/hosts


Assign the win-corporate group some variables:
vim ansible/inventories/group_vars/win-corporate.yml

ansible_user: username@CORPORATE.COMPANY.COM
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_scheme: http
ansible_winrm_transport: kerberos

Test Ansible’s connectivity via WinRM #

ansible -i inventories/ -m win_ping

Grab a beer because hopefully, you did it!


Now read this

Getting Ubuntu 12.04 LTS, Django, and Heroku to all play nicely together

Personally, I used VMWare Workstation 8 to host my Ubuntu machine, so I will include some instructions for that as well. Part 1: Setup # Open: C:\ProgramData\VMware\VMware Workstation\config.ini (Windows 7) Add the following:... Continue →