Hard to say without taking apart the Azure cmdlets, but I'd suspect they're internally trying to use a Windows credential cache, which has always been a no-go for me under a WinRM session (though IIRC it fails loudly when you try).
Some of the stuff that will likely land in Ansible 2.3 may help (become support, various other tricks for escaping WinRM's restrictions), but not sure what to tell you meantime. Maybe ask the Azure folks why their cmdlets don't work under WinRM... On Tuesday, September 6, 2016 at 10:38:26 AM UTC-7, Barney Sowood wrote: > > Hi, > > I've got a powershell script that I'm currently invoking using the > script module - assuming I can get this working I'll probably turn it > into a module, but I need to get over some issues first. > > The purpose of the script is to configure Azure Online Backup on an on > premise Windows Server. The script is working fine when run from an > interactive powershell prompt. > > The script is getting passed some credentials, a resource group and a > backup vault name. > > It invokes Add-AzureRmAccount (which suceeds) and then > Get-AzureRMBackupVault which also succeeds (and returns the backup vault > info). So clearly auth to Azure is working correctly. > > The next step is running Get-AzureRMBackupVaultCredentials which > downloads a credential file to the local filesystem to be passed to > Start-OBRegistration. That step works fine when the script is run > interactively, but when the script is run by Ansible it fails with "The > specified network password is not correct". > > I'm guessing that for some reason Get-AzureRMBackupVaultCredentials > authenticates to Azure in a different way than the other Azure > Powershell scripts and that is in some way incompatible with (or > disallowed from) Powershell Remote Sessions. > > A slight punt of doing 'Enable-WSManCredSSP -Role "Client" > -DelegateComputer "*"' but that didn't help.. > > Has anyone had any similar experiences with using the Azure Powershell > cmdlets in a script run by Ansible? > > I realise this is probably verging on more of a powershell vs Ansible > question.. > > There may be a way to do the equivalent of > Get-AzureRMBackupVaultCredentials via the Azure API - I'll have a look > at that if I can't resolve this issue. > > Script is below if anyone wants to try it, it assumes an existing > Resource Group, Vault and the Azure Recovery Services client installed. > > thanks, > > Barney. > > -- > Barney Sowood > [email protected] > > param( > [Parameter(Mandatory=$True)] > [string]$Username=$null, > > [Parameter(Mandatory=$True)] > [string]$Password=$null, > > [Parameter(Mandatory=$True)] > [string]$ResourceGroup=$null, > > [Parameter(Mandatory=$True)] > [string]$VaultName=$null, > > [Parameter(Mandatory=$True)] > [string]$EncryptionPassphrase=$null > ) > > $ErrorActionPreference = "Stop" > > # Login to Azure > $securePassword = ConvertTo-SecureString $Password -AsPlainText -Force > $azureCreds = New-Object > System.Management.Automation.PSCredential($Username, $securePassword) > Add-AzureRmAccount -Credential $azureCreds > > # Get the backup vault > $backupVault = Get-AzureRMBackupVault –ResourceGroupName $ResourceGroup > –Name $VaultName > > # Download backup creds > $credsFilename = Get-AzureRMBackupVaultCredentials -Vault $backupVault > -TargetLocation $env:TMP > > # Register host > $creds = $env:TMP + "\" + $credsFilename > Start-OBRegistration -VaultCredentials $creds -Confirm:$false > > # Cleanup creds > Remove-Item -Force $creds > > # Set encryption passphrase > ConvertTo-SecureString -String $EncryptionPassphrase -AsPlainText -Force > | Set-OBMachineSetting > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4718100c-4dec-495e-a234-441501cb0107%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
