Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:
# Install Ansible in RHEL/CENTOS
$ yum install wget -y
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo rpm -i epel-release-latest-7.noarch.rpm
$ sudo yum update -y
$ sudo yum install ansible -y
# Install PIP
$ easy_install pip
$ sudo yum install gcc krb5-devel krb5-workstation
$ pip install --upgrade pip
or
$ sudo yum install -y python-pip
$ sudo yum install gcc krb5-devel krb5-workstation
$ pip install --upgrade pip
$ sudo pip install markupsafe
$ sudo pip install xmltodict
$ pip install "pywinrm>=0.3.0" # pip install pywinrm --ignore-installed
$ ansible --version
When connecting to a Windows host, there are several different options that can be used when authenticating with an account. The authentication type may be set on inventory hosts or groups with the ansible_winrm_transport variable.
The following matrix is a high level overview of the options:
| Option | Local Accounts | Active Directory Accounts | Credential Delegation | HTTP Encryption |
|---|---|---|---|---|
| Basic | Yes | No | No | No |
| Certificate | Yes | No | No | No |
| Kerberos | No | Yes | Yes | Yes |
| NTLM | Yes | Yes | No | Yes |
| CredSSP | Yes | Yes | Yes | Yes |
Basic authentication is one of the simplest authentication options to use, but is also the most insecure. Basic authentication is not enabled by default on a Windows host but can be enabled by running the following in PowerShell:
$ Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
The following example shows host vars configured for basic authentication:
ansible_user: LocalUsername
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: basic