and thanks in advance for reading and support.
I keep running into the error mentioned in title when using runas as become method from my Ansible controller towards Win10 Pro 22H2 host. I did my research on various forum resources, but none of them solved my case.
Is someone able to tell me what I am doing wrong? I am providing info about my lab setup below.
Many thanks in advance;
Output from ansible -i win_inventory.yaml W10-testhost -m win_whoami -k -bK -vvv command:
The full traceback is:
Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)"
At line:103 char:5
+ $result = [Ansible.Become.BecomeUtil]::CreateProcessAsUser($usern ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : Win32Exception
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 103
at <ScriptBlock><End>, <No file>: line 137
at <ScriptBlock>, <No file>: line 11
System.Management.Automation.MethodInvocationException: Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)" ---> Ansible.Process.Win32Exception: CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)
at Ansible.Become.BecomeUtil.CreateProcessAsUser(String username, String password, LogonFlags logonFlags, LogonType logonType, String lpApplicationName, String lpCommandLine, String lpCurrentDirectory, IDictionary environment, Byte[] stdin) in c:\Users\LocalAdmin\AppData\Local\Temp\orxfw24j.1.cs:line 309
at CallSite.Target(Closure , CallSite , Type , Object , Object , Object , Object , Object , Object , Object , Object , Object )
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
W10-testhost | FAILED! => {
"changed": false,
"msg": "internal error: failed to become user 'LocalAdmin': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)\""
}
Entry facts:
- Controller: Debian 11 amd64, Ansible 2.12.0, libraries:
- python3-winrm 0.3.0-2;
- python3-ntlm-auth 1.4.0-1;
- python3-requests-ntlm 1.1.0-1.1;
- Win10 Pro 22H2 x64 node;
- WinRM set up with HTTPS and NTLM authentication, standard local administrator account with granted full access through
winrm configSDDL default dialog.
PowerShell output about my WinRM listener setup:
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String Address *
System.String Transport HTTPS
System.String Port 5986
System.String Hostname W10-testhost
System.String Enabled true
System.String URLPrefix wsman
System.String CertificateThumbprint <Omitted hash>
System.String ListeningOn_1770022257 127.0.0.1
System.String ListeningOn_35909171 <Omited IPv4>
System.String ListeningOn_1414502903 ::1
PowerShell output about my WinRM service:
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String RootSDDL O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;S-1-5-21-2796465674-2055441695-237597433-1001)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
System.String MaxConcurrentOperations 4294967295
System.String MaxConcurrentOperationsPerUser 1500
System.String EnumerationTimeoutms 240000
System.String MaxConnections 300
System.String MaxPacketRetrievalTimeSeconds 120
System.String AllowUnencrypted false
Container Auth
Container DefaultPorts
System.String IPv4Filter *
System.String IPv6Filter *
System.String EnableCompatibilityHttpList... false
System.String EnableCompatibilityHttpsLis... false
System.String CertificateThumbprint
System.String AllowRemoteAccess true
My inventory setup (from -i win_inventory.yaml file):
---
win10_hosts:
vars:
ansible_connection: winrm
ansible_become_method: runas
ansible_become_flags: 'logon_type=interactive'
hosts:
W10-testhost:
ansible_host: '<Omitted IP>'
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
ansible_user: 'LocalAdmin'
ansible_become_user: 'LocalAdmin'
...
Lastly, solutions I tried so far:
- Based on official documentation, I tried using
SYSTEM for ansible_become_user variable. Resulted into error internal error: failed to become user 'SYSTEM': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for NT AUTHORITY\\SYSTEM required for become as a service account or an account without a password\";
- Disabling
Limit local account use of blank passwords to console logon only policy, rebooting Win10 node and trying point 1 above again - same result;
- Based on MS's documentation regarding
CreateProcessAsUser and CreateProcessWithTokenW functions, I tried to assign the following privileges to my local administrator account and rebooting Win10 note after:
- SE_ASSIGNPRIMARYTOKEN_NAME (Replace a process-level token);
- SE_INCREASE_QUOTA_NAME (Adjust memory quotas for a process);
- SE_IMPERSONATE_NAME (Impersonate a client after authentication).
Many thanks for your ideas and support.
