Mondoo Inc
Replies: 7 comments 4 replies
-
|
HI @CedBau It would be great if you could share the powershell command that you use so that we can see how you connect to the machine. To make sure we do not have a cli parsing issue, you can also use an inventory file: apiVersion: v1
kind: Inventory
spec:
assets:
- id: windows-with-password
connections:
- host: 192.168.178.20
backend: winrm
credentials:
- user: chris
password: passwordand then use cnspec scan --inventory-file winrm_inventory.yml |
Beta Was this translation helpful? Give feedback.
-
|
Here's how I attempt to make the connection: cnspec scan winrm MyComputer\[email protected]:5985 The POST method for the authentication then looks like this (according to whireshark): The Machines are Domain joined, Microsoft suggests the following: "If connecting to a remote target computer using a local account, then the account should be prefixed with the computer name. For example, myComputer\myUsername." If I don't prefix LocalUser then the POST method is the same ...User: MyDomain\LocalUser cnspec is run in a Ubuntu 22.04 Dockercontainer for automation purposes. |
Beta Was this translation helpful? Give feedback.
-
|
Currently I have no domain-joined Windows machine available to reproduce the issue. Based on the discussion I saw at ansible/ansible#13416 it sounds like winrm requires kerberos authentication for domain authentication. At this point we only support NTLM authentication for Winrm. As an immediate alternative, I propose the use of openssh for Windows. |
Beta Was this translation helpful? Give feedback.
-
|
correct, that's why I try to connect with a local user. The HTTP POST for NTLM Authentication however indicates, that a domain user is used:
|
Beta Was this translation helpful? Give feedback.
-
|
Have you used the inventory file I shared above? That is just passing in the username and password and does not do the cli input parsing. If that works we can see if the issue is the cli argument parser or something else. |
Beta Was this translation helpful? Give feedback.
-
|
With the inventory file I'm unable to specify that HTTP transport should be used or I haven't figured out how i can do that. I tried it like this: assets: |
Beta Was this translation helpful? Give feedback.
-
|
Got ya. This should do it: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your efforts. The Problem sadly persists. I'm just not able to specify the "domain" that should be used for the connection, like mentioned earlier it should be the "LocalMachine". Here my setup to explain it in detail: Scan Asset: testwin2022-1.mydomain--> Domain Joined Here's how PowerShell handles the authorization. The following command is executed: The following credentials are entered: Which leads to the following authorization:
On the other hand, if I use cnspec, the HTTP POST looks like this:
Here's the inventory-file I used:
I've tried multiple things for the user, e. g. I even tried to specify a domain key for the credentials like: If I use the Domain User, everything works as expected:
|
Beta Was this translation helpful? Give feedback.
-
|
Thank you. I'll try to reproduce this. Seems like you are using a Windows 2022 with Domain. Can you share how you have configured Winrm so that it is easier to reproduce the same? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for the delayed answer. I used the following winrm config: winrmconfig.txt |
Beta Was this translation helpful? Give feedback.
-
|
Hi @chris-rock |
Beta Was this translation helpful? Give feedback.
-
Hello everyone
As far as I'm concerned NTLM is used for the WinRM connection. I feel like the username isn't parsed correctly if the string contains a slash, e. g. this.domain\username@host. Is there a way around it?
Beta Was this translation helpful? Give feedback.
All reactions