Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

WinRM - the specified credentials were rejected by the server

See original GitHub issue

I am unable to get WinRM session in a python script.

Environment

ad-dns.test.com    - Windows 2012 AD and DNS Server
box88.test.com     - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com     - Windows 2012 R2 Standard (Joined to domain)
box63.test.com     - Windows 10 (Joined to domain)

Configurations

I have enabled WinRM on Windows 10 and 2012 server through ConfigureRemotingForAnsible.ps1 PowerShell script. These are the WinRM configurations.

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30
PS C:\Windows\system32>

I have prepared CentOS box as below

# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install  "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict

# cat /etc/krb5.conf
[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = ad-dns.test.com
  admin_server   = ad-dns.test.com
  kpasswd_server = ad-dns.test.com
  default_domain = test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
#

# kinit vkumar@TEST.COM
Password for vkumar@TEST.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vkumar@TEST.COM

Valid starting       Expires              Service principal
2016-06-30T02:15:20  2016-06-30T12:15:20  krbtgt/TEST.COM@TEST.COM
    renew until 2016-07-01T02:15:16
#

Problem

Until now, everything appears smooth. The problem occurs when I try to use this kerberos ticket to authenticate the Windows servers using the below script.

#!/usr/bin/env python

import winrm

s = winrm.Session('box63.test.com', auth=('vkumar@TEST.COM', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err


# ./winrm_ipconfig.py
Traceback (most recent call last):
  File "./winrm_ipconfig.py", line 6, in <module>
    r = s.run_cmd('ipconfig', ['/all'])
  File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#

Not sure, why I see this error while Event Logs on Windows server show success. Apparently, I see three Logon and Logoff occurring at the same time.

Not sure what I am missing here. Firewall is stopped/disabled on both CentOS & Windows machines and times are also in sync.

Issue Analytics

State:
Created 7 years ago
Comments:11

Top GitHub Comments

5reactions

atul-ramcommented, Sep 8, 2016

netsh advfirewall firewall add rule name=“WinRM-HTTP” dir=in localport=5985 protocol=TCP action=allow

this worked for me.

3reactions

deepdcommented, Jun 9, 2019

I came across this same issue even with “AllowUnencrypted” set to true. I observed that win_ping was working for a user (IEUser) that was added to Administrator group and failing with windows-server | UNREACHABLE! => { "changed": false, "msg": "plaintext: the specified credentials were rejected by the server", "unreachable": true } for a user (test-user) that was not in Administrator group.

So I added the test-user to Administrator group and the issue got resolved.