Month: April 2022

Setup Terraform and Ansible for Windows provisionon CentOS

black server racks on a room

Provisioning Windows machines with Terraform is easy. Configuring Windows machines with Ansible is also not complex. However, it’s a little bit challenging to combine them. The following steps are some ideas about handling a Windows machine from provisioning to post configuration without modifying the winrm configuration on the guest operating system.

  1. Install required repos for yum.
yum -y install https://repo.ius.io/ius-release-el7.rpm
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm
yum -y install epel-release
yum -y install yum-utils
yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
  1. Install Terraform.
sudo yum -y install terraform
  1. Install Ansible.
sudo yum -y install ansible
  1. Install Kerberos.
yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
  1. Install pip.
sudo yum -y install python-pip

# You probably need the following packages if you are using VPN
pip install pysocks
  1. Install pywinrm[kerberos].
pip install pywinrm[kerberos]
  1. Configure /etc/krb5.conf.
    The following are the required lines. Please make sure to change the domain name to yours. And it’s case-sensitive.
[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forward = true
 forwardable = true
 default_realm = ZHENGWU.ORG


[realms]
 ZHENGWU.ORG = {
  kdc = DC.ZHENGWU.ORG
  admin_server = DC.ZHENGWU.ORG
 }

[domain_realm]
 .zhengwu.org = ZHENGWU.ORG
 zhengwu.org = ZHENGWU.ORG
  1. Create an Ansible inventory file.

[win] #Group name
dc.zhengwu.org #This is the target server list
 

[win:vars]
ansible_connection=winrm 

ansible_user=administrator #It's better a domain admin account.
ansible_password=P@ssw0rd #Change this password
ansible_port=5985
ansible_winrm_transport=kerberos
ansible_winrm_server_cert_validation=ignore
  1. Run Ansible win_ping test.
ansible <group in inventory file> -m win_ping -i <inventory file>

Cannot log in to Microsoft Account over VPN

Abstract

I am using a VPN (proxy) to improve the access performance to global websites. There was a minor issue that I struggled with for a long time. I could not log in to any Microsoft account when using a VPN. The solution is to add the Your account to the loopback exemption. However, I’ll explain the reason in this post.

Explanation

Microsoft used a different way to run applications on Windows 8 and later versions. It is called AppContainers. This change leads to some applications not working with VPN (proxy) since it blocks some data exchanges between applications. The change is for security reasons. It basically isolates each application to block the communication on the local computer level.

But, Microsoft offers a way to exempt applications for troubleshooting purposes. Hence, adding the applications to the exemption work around the problem.

Following are some useful commands for exemption with Windows native commands:

# Show a list of loopback exemption
CheckNetIsolation.exe LoopbackExempt -s

# Add an application to the exemption
CheckNetIsolation.exe LoopbackExempt –a –n=<app name>

It’s not easy to figure out the application name or ID. You should use Process Explorer. However, you can also download the 3rd party tool “Windows 8 AppContainer Loopback Utility” to configure it.

AppContainer Loopback Exemption Utility
Utility interface

Reference

How to enable loopback and troubleshoot network isolation (Windows Runtime apps) – Windows app development | Microsoft Docs

AppContainers for Windows 8: What Are They and How Can You Create Them? | by Apriorit | Apriorit — Specialized Software Development Company | Medium

AppContainer Isolation – Win32 apps | Microsoft Docs

Allow an Application to bind and listen on a port to honor requests from outside the app (microsoft.com)