Domain Credentail is not working

[adhamelia]

Hi,

i am trying to command using domain credentials but it throws error even though i have configured a properly Kerberos setup.

can u guid me ???

here is the code snippet

WinRmTool winrm = WinRmTool.connect("xxx.xxx.xxx.xxx", "Administrator@XXX.COM", "xxxxx");

        WinRmToolResponse response = winrm.executePs(ImmutableList.of("Get-WmiObject -class Win32_ComputerSystem"));
        System.out.println(response.getStdOut()); 

javax.xml.ws.WebServiceException: Could not send Message. at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:150) at com.sun.proxy.$Proxy45.create(Unknown Source) at io.cloudsoft.winrm4j.client.WinRmClient.createService(WinRmClient.java:457) at io.cloudsoft.winrm4j.client.WinRmClient.getService(WinRmClient.java:340) at io.cloudsoft.winrm4j.client.WinRmClient.command(WinRmClient.java:207) at io.cloudsoft.winrm4j.winrm.WinRmTool.executeCommand(WinRmTool.java:198) at io.cloudsoft.winrm4j.winrm.WinRmTool.executePs(WinRmTool.java:224) at WinRM.main(WinRM.java:57) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) Caused by: java.io.IOException: Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http://192.168.2.102:5985/wsman" with realm "WSMAN" at org.apache.cxf.transport.http.HTTPConduit.detectAuthorizationLoop(HTTPConduit.java:1926) at org.apache.cxf.transport.http.HTTPConduit.access$600(HTTPConduit.java:147) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.authorizationRetransmit(HTTPConduit.java:1506) at org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit$AsyncWrappedOutputStream.authorizationRetransmit(AsyncHTTPConduit.java:796) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.processRetransmit(HTTPConduit.java:1437) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:1411) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1545) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1347) at org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit$AsyncWrappedOutputStream.close(AsyncHTTPConduit.java:415) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:651) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139) ... 12 more

[neykov]

@adhamelia The error looks like a convoluted authentication failed message. Note that even when authenticating against a Domain backed machine winrm will still use NTLM authentication - this is how the current implementation is working. Several things to try out:

• Check Negotiate auth is enabled on the winrm service
• The username should follow the DOMAIN\username format when authenticating against a domain
• The password needs to be passed to the call, the local kerberos cache is not used (because using NTLM)

[adhamelia]

@neykov i tried all the possibilities but no luck.. i forgot to mention one thing is that, i was trying to connect from linux..

does it work on linux ???

[neykov]

Yes, the library works in Linux as well. @adhamelia Have you tried connecting with the same credentials using the Windows tools? I believe there's additional configuration needed before letting domain accounts connect through winrm. Can you try running the following from powershell from a computer which is not part of the domain:

test-wsman -computername <ip of computer> -credential Administrator@xxx.com -Authentication Negotiate

[neykov]

Here are some more leads to try with:

• See this paragraph: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384295%28v=vs.85%29.aspx#Negotiate_Authentication. When using NTLM only the local (non-domain) Administrator user is allowed to connect by default. To grant access to all admin users you need to allow it by adding a registry key:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

• add the domain user as a local admin
• try connecting without prefixing the user with the domain
• in parallel try connecting with the windows tools to verify that the account is allowed to connect

---

You can also try selecting Kerberos authentication by setting builder.setAuthenticationScheme(AuthSchemes.Kerberos). This requires that the machine you are connecting from is already part of the domain. I don't have a domain setup at hand to try this right now, so can't give more detailed instructions.

[bostko]

@adhamelia can you check whether you enabled unencrypted connections? winrm get winrm/config/service

[awdamle]

I am trying to use Kerberos AuthScheme and my machine is in the same domain as the remote Windows machine that I am trying to connect to. I have also verified the WinRM config on the remote server. However, I am not able to proceed ahead as I am getting these authentication errors -

WARN MainClientExec:207 - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) KERBEROS authentication error: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) Any pointers on this error? I tried passing a user name in both these formats - domain\username and username@domain, but I am getting same error.

[awdamle]

I tried using kinit to cache the ticket so that it is automatically used when I try to run a command using WinRmTool. However, I am now getting this error - KrbException: Server not found in Kerberos database (7) .... Caused by: KrbException: Identifier doesn't match expected value (906) .... After turning on debug level logging for Kerberos, I see the following details in KRBError: error code is 7 error Message is Server not found in Kerberos database sname is HTTP/Windows_server_IP_I_want_to_connect_to:5985@domain

If sname is for the server's identity, shouldn't it be just Windows_server_IP_I_want_to_connect_to@domain? Is it a bug? Please help.

[awdamle]

I tried using NTLM AuthScheme and it is working fine with it. Yet, I would like to know why it is not working with Kerberos as Kerberos is favored, it being more secure than NTLM.

[neykov]

Hi @awdamle. There's no fundamental reason why it wouldn't work. It's just a setup that we haven't tried so might need a few kinks to work out.

• Have you configured a jaas.conf with Krb5LoginModule?
• See the javadoc of ClientKerberosAuthentication.java. We are using Apache Http Client under the hood so if that works, then the winrm4j client will work as well

[neykov]

Detailed information for a similar problem in #37 (marked as duplicate).