Tower Windows management with Kerberos#
You will need to set up Credentials for an AWX admin account that has access to the machine, utilize custom variables in your inventory or credential, and attach the Instance Group to your template(s).
Credentials#
- You will need an account in active directory
- Create a Credential in Tower for pulling the password
- Do not store passwords in Tower
- Use a keystore for the password reference
- Functional accounts can be used for this purpose
- The account will need to be provisioned on the Windows server as a local admin
Variables#
E.g. to include in a Kerberos/Windows specific inventory
ansible_user: CHANGEME@AD.UMN.EDU
ansible_password: "{{ changeme }}"
ansible_connection: winrm
ansible_port: 5985
ansible_winrm_transport: kerberos
become_user: "System"
become_method: "runas"
Instance Group#
Request the use of the ‘Kerberos’ instance group by sending an email to devex@umn.edu with team members who need access to it.
The instance group can then be added to your template or set as the default for your Organization. Go to the Org Page and click on the pencil icon (edit) next to your Org name and the instance group can be be set.
This instance group will allow Tower to run with the following attributes via the krb5.conf file:
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = AD.UMN.EDU