Closed cucumberjim closed 2 years ago
cucumberjim
commented
2 years ago It looks like Rundeck and the node have the following ciphers open based on the TLS trace and the node OS configuration: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
cucumberjim
commented
2 years ago Full Rundeck error:
[ERROR ] Execution finished with the following error (winrm-exec.py:323)[root] [ERROR ] Server did not response with a CredSSP token after step TLS Handshake - actual 'Negotiate, Kerberos, CredSSP' (winrm-exec.py:324)[root] Failed: NonZeroResultCode: [WinRMPython] Result code: 1 Execution failed: 24 in project DevDomain-Windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [node:HOSTNAME: NonZeroResultCode: [WinRMPython] Result code: 1 + {dataContext=MultiDataContextImpl(map={ContextView(node:HOSTNAME)=BaseDataContext{{exec={exitCode=1}}}, ContextView(step:1, node:node:HOSTNAME)=BaseDataContext{{exec={exitCode=1}}}}, base=null)} ]}, Node failures: {node:HOSTNAME=[NonZeroResultCode: [WinRMPython] Result code: 1 + {dataContext=MultiDataContextImpl(map={ContextView(node:node:HOSTNAME)=BaseDataContext{{exec={exitCode=1}}}, ContextView(step:1, node:HOSTNAME)=BaseDataContext{{exec={exitCode=1}}}}, base=null)} ]}, status: failed]
cucumberjim
commented
2 years ago I found the issue. Not sure why Windows to Windows works OK, though. WSMan:\localhost\Service\CertificateThumbprint on the server needs to have a valid thumbprint for an installed cert/key
I've set up Rundeck 3.4.9 on Windows Server 2019. I've configured the "WinRM Node Executor Python" with CredSSP with https on port 5986. When I try to run a command I'm getting this error in Rundeck:
Server did not response with a CredSSP token after step TLS Handshake - actual 'Negotiate, Kerberos, CredSSP'
On the node side, I see the following Schannel error:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
If I use http rather than https, I get the same Rundeck error, but a wireshark shows that the call is failing with a 401 error. The http trace shows the 401 response with WWW-Authenticate headers for Negotiate, Kerberos, and CredSSP. I do see a request from the Rundeck server with a CredSSP Authorization token.