Hi Jordan,
Thanks for that, you resolved it.
for the next person this is what I ended up doing:
- name: Run PowerShell Command with SYSTEM account
ansible.windows.win_shell: |
Get-ADUser -Identity {{ NewUserName }} -properties *
register: result
become: yes
become_method: runas
On Wed, 3 May 2023 at 07:14, [email protected] <[email protected]> wrote:
> This is most likely the double hop problem where the WinRM process on the
> Windows side is unable to authenticate itself when talking to a downstream
> server [1]
>
> There are a few ways you can solve this
>
> - Use become on the task [2]
> - Use CredSSP as your authentication protocol with WinRM
> - Setup Kerberos delegation through either
> - Unconstrained delegation
> - Constrained delegation
> - Resource based delegation
>
> Thanks
>
> Jordan
>
> [1]
> https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
> [2]
> https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-and-windows
> On Tuesday, May 2, 2023 at 11:27:32 AM UTC+10 Gregory Machin wrote:
>
>> Hi,
>>
>> I'm currently testing using AWX as an API to run PowerShell commands via
>> ansible playbooks.
>>
>> I'm currently testing using the Get-AD user command as this is close to
>> what I'll be doing.
>>
>> I'm using the following Ansible playbook
>>
>> - name: Test Extra Variables and PowerShell Command
>> hosts: all
>> collections:
>> tasks:
>> - name: Show Extra Variables
>> debug:
>> msg:
>> - "NewUserName: {{ NewUserName }}"
>> - "UserManager: {{ UserManager }}"
>>
>> - name: Run PowerShell Command with SYSTEM account
>> ansible.windows.win_shell: |
>> whoami
>> Test-NetConnection server.Domain.local -port 9389
>> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
>> -NextClosestSite
>> Get-ADUser -Identity {{ NewUserName }}
>> register: result
>>
>> - name: Show PowerShell Command Result
>> debug:
>> var: result.stdout_lines
>>
>> but get-ADUser errors with :
>>
>> Get-ADUser : Unable to contact the server. This may be because this
>> server does not exist, it is currently down, or it
>> does not have the Active Directory Web Services running.
>> At line:4 char:1
>> + Get-ADUser -Identity bbuilder
>> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> + CategoryInfo : ResourceUnavailable: (bbuilder:ADUser)
>> [Get-ADUser], ADServerDownException
>> + FullyQualifiedErrorId :
>> ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
>>
>> but I don't have any issues running Get-ADUser under my account or the
>> service account used for the playbook on the same server.
>>
>> the following in the playbook work as expected:
>> Test-NetConnection server.Domain.local -port 9389
>> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
>> -NextClosestSite
>>
>> It feels like there is something missing PowerShell environment used by
>> Ansible, but I cant see what could cause this.
>>
>> Please advise.
>>
>> thank you
>> G
>>
>>
>>
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/vb4p8HTv7e0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/b1e7c4ba-bf43-4fc3-9cab-153c70f5107en%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/b1e7c4ba-bf43-4fc3-9cab-153c70f5107en%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAJTF0ni3EJ_yD75LM7emsMCU-UMc6mtuD_HYZY81dBHbCCn%3DqQ%40mail.gmail.com.
