WinRM - the specified credentials were rejected by the server

python kerberos winrm
vikas027 picture vikas027 · Jun 29, 2016 · Viewed 34.2k times · Source

I am unable to get WinRM session in a python script.

Environment

ad-dns.test.com    - Windows 2012 AD and DNS Server
box88.test.com     - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com     - Windows 2012 R2 Standard (Joined to domain)
box63.test.com     - Windows 10 (Joined to domain)

Configurations

I have enabled WinRM on Windows 10 and 2012 server through ConfigureRemotingForAnsible.ps1 PowerShell script. These are the WinRM configurations.

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30
PS C:\Windows\system32>

I have prepared CentOS box as below

# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install  "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict

# cat /etc/krb5.conf
[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = ad-dns.test.com
  admin_server   = ad-dns.test.com
  kpasswd_server = ad-dns.test.com
  default_domain = test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
#

# kinit [email protected]
Password for [email protected]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2016-06-30T02:15:20  2016-06-30T12:15:20  krbtgt/[email protected]
    renew until 2016-07-01T02:15:16
#

Problem

Until now, everything appears smooth. The problem occurs when I try to use this kerberos ticket to authenticate the Windows servers using the below script.

#!/usr/bin/env python

import winrm

s = winrm.Session('box63.test.com', auth=('[email protected]', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err


# ./winrm_ipconfig.py
Traceback (most recent call last):
  File "./winrm_ipconfig.py", line 6, in <module>
    r = s.run_cmd('ipconfig', ['/all'])
  File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#

Not sure, why I see this error while Event Logs on Windows server show success. Apparently, I see three Logon and Logoff occurring at the same time. Windows_Event_Logs

Not sure what I am missing here. Firewall is stopped/disabled on both CentOS & Windows machines and times are also in sync.

Answer

vikas027 picture vikas027 · Jul 20, 2016

Solved it finally, it was a permission issue and not invalid credentials as pointed out in logs. There are two solutions to this issue

  1. Add the domain user to the Domain Admins Group
  2. Execute winrm configSDDL default on the Windows server and check Read and Execute permissons like below

Windows_Server

Related questions

How do I get JSON data from RESTful service using Python?

Is there any standard way of getting JSON data from RESTful service using Python? I need to use kerberos for authentication. some snippet would help.

Read More
Kerberos authentication with python

I need to write a script in python to check a webpage, which is protected by kerberos. Is there any possibility to do this from within python and how? The script is going to be deployed on a linux environment …

Read More
Kerberos installation error, error: Setup script exited with error: command 'i686-linux-gnu-gcc' failed with exit status 1

I am trying to install python kerbos library, setup.py fails with following. I have already done sudo apt-get update and sudo apt-get install python-dev(in that order). Here is the complete trackback of the process. vaibhav@vaibhav-UCVN:~/Downloads/requests-kerberos-master$ …

Read More