terraform-provider-ad icon indicating copy to clipboard operation
terraform-provider-ad copied to clipboard
verified publisher icon hashicorp

HTTP Kerberos Auth Not Working When Destination Winrm "AllowUnencrypted = false"

Open techimply opened this issue 4 years ago • 3 comments

Terraform Version and Provider Version

Terraform v0.14.10 /hashicorp/ad v0.4.2

Windows Version

Client: Server 2016 DC: 2012 R2 Domain & Forest functional = Windows Server 2008 R2

Affected Resource(s)

Terraform Configuration Files

provider "ad" {
  winrm_hostname = "dc.domain.com"
  winrm_username = "domain_user"
  winrm_password = "domain_pass"
  winrm_insecure = "true"
  krb_realm = "DOMAIN.COM"
  winrm_proto = "http"
  winrm_port = "5985"

}

data "ad_computer" "TEST" {
    dn = "CN=TEST,CN=Computers,DC=domain,DC=com"
}

output "computer_guid" {
  value = data.ad_computer.TEST.guid
}

Debug Output

Panic Output

Expected Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed
Outputs:
computer_guid = "xxxxxxxx-xxxx-xxxx-xxxx"

Actual Behavior

Error: winrm execution failure in NewComputerFromHost: powershell command failed with exit code 1
stdout:
stderr:
error: http error while making kerberos authenticated winRM request: %!s(<nil>)

  on ad.tf line 16, in data "ad_computer" "TEST":
  16: data "ad_computer" "TEST" {

Steps to Reproduce

  1. Validate AllowUnencrypted = false on destination DC
  2. Terraform init
  3. Terraform apply

Important Factoids

If winRM setting 'AllowUnencrypted = false' is set on the destination DC terraform will always fail with 'error: http error while making kerberos authenticated winRM request: %!s()'. As soon as 'AllowUnencrypted = true' is set, the provider works as intended. Perhaps I am missing a flag here? I have no issues connecting via HTTP & Kerberos using other software such as ansible.

References

https://github.com/hashicorp/terraform-provider-ad/issues/90

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

techimply avatar Jun 09 '21 14:06 techimply

I was having similar issues. Currently I developed my main.tf with WinRM set to unencrypted. Currently just working with it as proof of concept, but if it could actually run it with encryption, it would be such a good tool for me.

Lux-Nova avatar Jul 09 '21 14:07 Lux-Nova

I was having similar issues. Currently I developed my main.tf with WinRM set to unencrypted. Currently just working with it as proof of concept, but if it could actually run it with encryption, it would be such a good tool for me.

Yup similar situation here. Fun for staging or in a sandbox but having WinRM unencrypted is a non starter in prod

techimply avatar Jul 13 '21 12:07 techimply

I've run into this bug as well.

When WinRM is configured to use HTTPS - the issue doesn't happen.

According to MS - using HTTP for WinRM is secure if you're using it with Kerberos

"Regardless of the transport protocol used (HTTP or HTTPS), WinRM always encrypts all PowerShell remoting communication after initial authentication." From Microsoft

So a WinRM configuration that uses HTTP and has 'AllowUnencrypted = false' set is a supported/secure/working configuration

somewhat tangentially, and aligning with what @techimply mentioned - we also utilize ansible with the same endpoints this provider is having issues with (configured as HTTP & allowunencrypted=false) and ansible works with that configuration

m3dos avatar Mar 13 '24 23:03 m3dos