search

hashicorp / terraform-provider-ad

Active Directory provider for HashiCorp Terraform (experimental)
https://registry.terraform.io/providers/hashicorp/ad/latest
Mozilla Public License 2.0
142 stars 71 forks source link

HTTP Kerberos Auth Not Working When Destination Winrm "AllowUnencrypted = false" #120

Open techimply opened 3 years ago

techimply commented 3 years ago

Terraform Version and Provider Version

Terraform v0.14.10 /hashicorp/ad v0.4.2

Windows Version

Client: Server 2016 DC: 2012 R2 Domain & Forest functional = Windows Server 2008 R2

Affected Resource(s)

Terraform Configuration Files

provider "ad" {
  winrm_hostname = "dc.domain.com"
  winrm_username = "domain_user"
  winrm_password = "domain_pass"
  winrm_insecure = "true"
  krb_realm = "DOMAIN.COM"
  winrm_proto = "http"
  winrm_port = "5985"

}

data "ad_computer" "TEST" {
    dn = "CN=TEST,CN=Computers,DC=domain,DC=com"
}

output "computer_guid" {
  value = data.ad_computer.TEST.guid
}

Debug Output

Panic Output

Expected Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed
Outputs:
computer_guid = "xxxxxxxx-xxxx-xxxx-xxxx"

Actual Behavior

Error: winrm execution failure in NewComputerFromHost: powershell command failed with exit code 1
stdout:
stderr:
error: http error while making kerberos authenticated winRM request: %!s(<nil>)

  on ad.tf line 16, in data "ad_computer" "TEST":
  16: data "ad_computer" "TEST" {

Steps to Reproduce

  1. Validate AllowUnencrypted = false on destination DC
  2. Terraform init
  3. Terraform apply

Important Factoids

If winRM setting 'AllowUnencrypted = false' is set on the destination DC terraform will always fail with 'error: http error while making kerberos authenticated winRM request: %!s()'. As soon as 'AllowUnencrypted = true' is set, the provider works as intended. Perhaps I am missing a flag here? I have no issues connecting via HTTP & Kerberos using other software such as ansible.

References

https://github.com/hashicorp/terraform-provider-ad/issues/90

Community Note

Lux-Nova commented 3 years ago

I was having similar issues. Currently I developed my main.tf with WinRM set to unencrypted. Currently just working with it as proof of concept, but if it could actually run it with encryption, it would be such a good tool for me.

techimply commented 3 years ago

I was having similar issues. Currently I developed my main.tf with WinRM set to unencrypted. Currently just working with it as proof of concept, but if it could actually run it with encryption, it would be such a good tool for me.

Yup similar situation here. Fun for staging or in a sandbox but having WinRM unencrypted is a non starter in prod

m3dos commented 8 months ago

I've run into this bug as well.

When WinRM is configured to use HTTPS - the issue doesn't happen.

According to MS - using HTTP for WinRM is secure if you're using it with Kerberos

"Regardless of the transport protocol used (HTTP or HTTPS), WinRM always encrypts all PowerShell remoting communication after initial authentication." From Microsoft

So a WinRM configuration that uses HTTP and has 'AllowUnencrypted = false' set is a supported/secure/working configuration

somewhat tangentially, and aligning with what @techimply mentioned - we also utilize ansible with the same endpoints this provider is having issues with (configured as HTTP & allowunencrypted=false) and ansible works with that configuration