English English French French Spanish Spanish German German
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

How to Connect Ansible on Windows from Ubuntu?

ansible certification exams
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Let me quickly show you how to connect the Windows server from Ansible running on Ubuntu.

To follow the steps below, you need to have Python 3.x and Ansible installed on both the systems. You can follow the below articles if you need help.

How to Install and Configure Ansible on Ubuntu?

How to install Ansible on Windows?

Below are the details of both the servers I am using:

  • Ansible Controller – 192.168.0.108
  • Windows Server – 192.168.0.102

Step 1: Create Ansible Windows User

Create a new user for the Ansible windows connection setup.

  • Open Computer Management on your Windows system and go to Local Users and Groups.
  • Right-click on Users and create a new user.
  • Select Password never expires checkbox and click on create.

ansible user

  • Now among the available groups, right-click on the Administrators group and click on properties.
  • Click on Add and enter ansible in object names.
  • Click on the check names option and then Ok.

ansible groups

Now, an ansible user on a windows machine is ready.

Step 2: Setup Libraries and WinRM

Go to your ansible controller machine, update it, and install the libraries mentioned below.

geekflare@geekflare:~$ sudo apt-get update
geekflare@geekflare:~$ sudo apt-get install gcc python-dev
geekflare@geekflare:~$ sudo apt install python3-pip

WinRM stands for windows remote management. It allows you to perform management tasks on remote windows systems. We will install python3-winrm, a python client that is used to make a connection to the windows system.

geekflare@geekflare:~$ sudo apt-get install python3-winrm
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
gyp libc-ares2 libhttp-parser2.8 libjs-async libjs-inherits libjs-is-typedarray libjs-node-uuid libuv1 libuv1-dev node-abbrev node-ajv
node-ansi node-ansi-color-table node-ansi-regex node-ansi-styles node-ansistyles node-aproba node-archy node-are-we-there-yet node-async

node-validate-npm-package-license node-wcwidth.js node-which node-which-module node-wide-align node-wrap-ansi node-wrappy node-y18n
node-yallist node-yargs node-yargs-parser nodejs nodejs-doc
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
python3-kerberos python3-ntlm-auth python3-requests-kerberos python3-requests-ntlm python3-xmltodict
The following NEW packages will be installed:
python3-kerberos python3-ntlm-auth python3-requests-kerberos python3-requests-ntlm python3-winrm python3-xmltodict
0 upgraded, 6 newly installed, 0 to remove and 231 not upgraded.
Need to get 84.8 kB of archives.
After this operation, 442 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-kerberos amd64 1.1.14-1build1 [16.8 kB]
Get:2 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-ntlm-auth all 1.1.0-1 [19.6 kB]
Get:3 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-requests-kerberos all 0.11.0-2 [10.1 kB]
Get:4 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-requests-ntlm all 1.1.0-1 [6,004 B]
Get:5 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-xmltodict all 0.11.0-2 [10.6 kB]
Get:6 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-winrm all 0.3.0-2 [21.7 kB]
Fetched 84.8 kB in 1s (70.3 kB/s)
Selecting previously unselected package python3-kerberos.
(Reading database ... 244430 files and directories currently installed.)
Preparing to unpack .../0-python3-kerberos_1.1.14-1build1_amd64.deb ...
Unpacking python3-kerberos (1.1.14-1build1) ...
Selecting previously unselected package python3-ntlm-auth.
Selecting previously unselected package python3-xmltodict.
Preparing to unpack .../4-python3-xmltodict_0.11.0-2_all.deb ...
Unpacking python3-xmltodict (0.11.0-2) ...
Selecting previously unselected package python3-winrm.
Preparing to unpack .../5-python3-winrm_0.3.0-2_all.deb ...
Unpacking python3-winrm (0.3.0-2) ...
Setting up python3-kerberos (1.1.14-1build1) ...
Setting up python3-winrm (0.3.0-2) ...

Step 3: Update the Ansible Inventory file

Now, I will edit the ansible hosts file with the windows system IP address. So now ansible will know which windows system it needs to connect.

geekflare@geekflare:~$ sudo gedit /etc/ansible/hosts

[win]
192.168.0.102

Step 4: Update the Ansible Group Variables

Create a directory for putting variables need to connect to the windows system.

geekflare@geekflare:~$ mkdir /etc/ansible/group_vars
geekflare@geekflare:~$ sudo chmod -R 777 /etc/ansible/

Create a file win.yaml and put the user details you created in the 1st step and few more variables required to connect to the windows system.

geekflare@geekflare:~$ gedit /etc/ansible/group_vars/win.yaml
---

ansible_user: ansible

ansible_password: ansible

ansible_connection: winrm

ansible_winrm_server_cert_validation: ignore

ansible_winrm_transport: basic

ansible_winrm_port: 5985

ansible_python_interpreter: C:\Users\geekflare\AppData\Local\Programs\Python\Python37\python

Step 5: Configure Windows Servers to Manage

Open your windows power shell and upgrade it. You need to have Powershell 3.0 and .NET Framework 4.0 present on the windows machine.

PS C:\WINDOWS\system32> $url = "https://raw.githubusercontent.com/jborean93/ansible-windows/master/scripts/Upgrade-PowerShell.ps1"
PS C:\WINDOWS\system32> $file = "$env:temp\Upgrade-PowerShell.ps1"
PS C:\WINDOWS\system32> $username = "ansible"
PS C:\WINDOWS\system32> $password = "ansible"
PS C:\WINDOWS\system32> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\WINDOWS\system32> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force
PS C:\WINDOWS\system32> &$file -Version 5.1 -Username $username -Password $password -Verbose

To configure WinRM on a Windows system with ansible, a remote configuration script has been provided by ansible. Run the script in the PowerShell.

PS C:\WINDOWS\system32> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
PS C:\WINDOWS\system32> $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
PS C:\WINDOWS\system32> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
PS C:\WINDOWS\system32> powershell.exe -ExecutionPolicy ByPass -File $file
PS C:\WINDOWS\system32> winrm enumerate winrm/config/Listener

Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman

CertificateThumbprint
ListeningOn = 127.0.0.1, 169.254.8.240, 169.254.36.9, 169.254.102.217, 169.254.215.170, 192.168.0.102, ::1, fe80::3131:c6d7:9ef5:8f0%7, fe80::51b7:9134:550d:d7aa%22, fe80::88f1:1229:e1dd:2409%16, fe80::99cf:5796:4f8e:f5c1%15, fe80::fd77:c19d:e0f2:66d9%9

Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = DESKTOP-2L8QMI6
Enabled = true
URLPrefix = wsman

CertificateThumbprint = C83B3FC8B274D0B650F0FD647DC7AC129BBE3FA0
ListeningOn = 127.0.0.1, 169.254.8.240, 169.254.36.9, 169.254.102.217, 169.254.215.170, 192.168.0.102, ::1, fe80::3131:c6d7:9ef5:8f0%7, fe80::51b7:9134:550d:d7aa%22, fe80::88f1:1229:e1dd:2409%16, fe80::99cf:5796:4f8e:f5c1%15, fe80::fd77:c19d:e0f2:66d9%9

Set winrm to allow HTTP traffic.

PS C:\WINDOWS\system32> winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

MaxConcurrentOperations = 4294967295

MaxConcurrentOperationsPerUser = 1500

EnumerationTimeoutms = 240000
MaxConnections = 300

MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false

CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *

EnableCompatibilityHttpListener = false

EnableCompatibilityHttpsListener = false

CertificateThumbprint
AllowRemoteAccess = true

Set the authentication to basic in wirm.

PS C:\WINDOWS\system32> winrm set winrm/config/service/auth '@{Basic="true"}'
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed

Step 6: Test Connectivity to the Windows Server

Now all the steps on the machine are done. Go to ansible controller machine and ping the windows server machine using win_ping ansible module.

geekflare@geekflare:~$ ansible win -m win_ping
192.168.0.102 | SUCCESS => {

"changed": false,
"ping": "pong"
}

The success message shows that the connection has been established. Now, the windows system is ready to be administered remotely from the Ansible running on Ubuntu.

Thanks to our Sponsors
More great readings on DevOps
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder