Forked from jeremypruitt/gist:ca62a5cdc95f579713b9
Last active
April 26, 2018 13:06
-
-
Save noushi/3dddf23debfe4ed672bd11d79d61c214 to your computer and use it in GitHub Desktop.
Modified ansible windows remoting script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configure a Windows host for remote management with Ansible | |
| # ----------------------------------------------------------- | |
| # | |
| # This script checks the current WinRM/PSRemoting configuration and makes the | |
| # necessary changes to allow Ansible to connect, authenticate and execute | |
| # PowerShell commands. | |
| # | |
| # Set $VerbosePreference = "Continue" before running the script in order to | |
| # see the output messages. | |
| # | |
| # Written by Trond Hindenes <[email protected]> | |
| # Updated by Chris Church <[email protected]> | |
| # | |
| # Version 1.0 - July 6th, 2014 | |
| # Version 1.1 - November 11th, 2014 | |
| Param ( | |
| [string]$SubjectName = $env:COMPUTERNAME, | |
| [int]$CertValidityDays = 180, | |
| $CreateSelfSignedCert = $true | |
| ) | |
| Function New-LegacySelfSignedCert | |
| { | |
| Param ( | |
| [string]$SubjectName, | |
| [int]$ValidDays = 365 | |
| ) | |
| $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" | |
| $name.Encode("CN=$SubjectName", 0) | |
| $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" | |
| $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" | |
| $key.KeySpec = 1 | |
| $key.Length = 2048 | |
| $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" | |
| $key.MachineContext = 1 | |
| $key.Create() | |
| $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" | |
| $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") | |
| $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" | |
| $ekuoids.Add($serverauthoid) | |
| $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" | |
| $ekuext.InitializeEncode($ekuoids) | |
| $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" | |
| $cert.InitializeFromPrivateKey(2, $key, "") | |
| $cert.Subject = $name | |
| $cert.Issuer = $cert.Subject | |
| $cert.NotBefore = (Get-Date).AddDays(-1) | |
| $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) | |
| $cert.X509Extensions.Add($ekuext) | |
| $cert.Encode() | |
| $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" | |
| $enrollment.InitializeFromRequest($cert) | |
| $certdata = $enrollment.CreateRequest(0) | |
| $enrollment.InstallResponse(2, $certdata, 0, "") | |
| # Return the thumbprint of the last installed cert. | |
| Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint | |
| } | |
| # Setup error handling. | |
| Trap | |
| { | |
| $_ | |
| Exit 1 | |
| } | |
| $ErrorActionPreference = "Stop" | |
| # Detect PowerShell version. | |
| If ($PSVersionTable.PSVersion.Major -lt 3) | |
| { | |
| Throw "PowerShell version 3 or higher is required." | |
| } | |
| # Find and start the WinRM service. | |
| Write-Verbose "Verifying WinRM service." | |
| If (!(Get-Service "WinRM")) | |
| { | |
| Throw "Unable to find the WinRM service." | |
| } | |
| ElseIf ((Get-Service "WinRM").Status -ne "Running") | |
| { | |
| Write-Verbose "Starting WinRM service." | |
| Start-Service -Name "WinRM" -ErrorAction Stop | |
| } | |
| # WinRM should be running; check that we have a PS session config. | |
| If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) | |
| { | |
| Write-Verbose "Enabling PS Remoting." | |
| Enable-PSRemoting -Force -ErrorAction Stop | |
| } | |
| Else | |
| { | |
| Write-Verbose "PS Remoting is already enabled." | |
| } | |
| # Test a remoting connection to localhost, which should work. | |
| $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue | |
| $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck | |
| $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue | |
| If ($httpResult -and $httpsResult) | |
| { | |
| Write-Verbose "HTTP and HTTPS sessions are enabled." | |
| } | |
| ElseIf ($httpsResult -and !$httpResult) | |
| { | |
| Write-Verbose "HTTP sessions are disabled, HTTPS session are enabled." | |
| } | |
| ElseIf ($httpResult -and !$httpsResult) | |
| { | |
| Write-Verbose "HTTPS sessions are disabled, HTTP session are enabled." | |
| } | |
| Else | |
| { | |
| # Throw "Unable to establish an HTTP or HTTPS remoting session." | |
| } | |
| # Make sure there is a SSL listener. | |
| $listeners = Get-ChildItem WSMan:\localhost\Listener | |
| If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"})) | |
| { | |
| # HTTPS-based endpoint does not exist. | |
| If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue) | |
| { | |
| $cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My" | |
| $thumbprint = $cert.Thumbprint | |
| } | |
| Else | |
| { | |
| $thumbprint = New-LegacySelfSignedCert -SubjectName $env:COMPUTERNAME | |
| } | |
| # Create the hashtables of settings to be used. | |
| $valueset = @{} | |
| $valueset.Add('Hostname', $env:COMPUTERNAME) | |
| $valueset.Add('CertificateThumbprint', $thumbprint) | |
| $selectorset = @{} | |
| $selectorset.Add('Transport', 'HTTPS') | |
| $selectorset.Add('Address', '*') | |
| Write-Verbose "Enabling SSL listener." | |
| New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset | |
| } | |
| Else | |
| { | |
| Write-Verbose "SSL listener is already active." | |
| } | |
| # Check for basic authentication. | |
| $basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"} | |
| If (($basicAuthSetting.Value) -eq $false) | |
| { | |
| Write-Verbose "Enabling basic auth support." | |
| Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true | |
| } | |
| Else | |
| { | |
| Write-Verbose "Basic auth is already enabled." | |
| } | |
| # Configure firewall to allow WinRM HTTPS connections. | |
| $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" | |
| $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any | |
| If ($fwtest1.count -lt 5) | |
| { | |
| Write-Verbose "Adding firewall rule to allow WinRM HTTPS." | |
| netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow | |
| } | |
| ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) | |
| { | |
| Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." | |
| netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any | |
| } | |
| Else | |
| { | |
| Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." | |
| } | |
| Write-Verbose "PS Remoting has been successfully configured for Ansible." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment