Enabling CredSSP for Ansible and Windows

Testing Ansible and windows for a few months we ran into a number of issues with security and eventually had to enable CredSSP in order to get round a number of security issues including the Double Hop Authentication issue.  We first experienced this trying to install SQL 2016.  We use Ansible, CloudFormation (AWS) and Powershell scripts to provision our servers and the following snippets may help those on a similar path.

Configure Ansible for WinRM and Enable CredSSP on Client

As part of the EC2 provisioning we enable Ansible with the following snippet in the cfn configset section

   "commands" : {
      "1-winrm" : {
        "command" : {"Fn::Join" : ["",["powershell.exe -Command Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))\n"]]}
      "2-enable-credssp" : {
        "command" : {"Fn::Join" : ["",["powershell.exe -Command Enable-WSManCredSSP -Role Server -Force\n"]]}
      "3-enable-credssp" : {
        "command" : {"Fn::Join" : ["",["powershell.exe -Command Set-Item -Path \"WSMan:\\localhost\\Service\\Auth\\CredSSP\" -Value $true\n"]]}

Enable WinRM and CredSSP in Ansible

Within our ansible scripts under group_var/all.yml we enable WinRM (as opposed to ssh) for our windows builds

ansible_port: 5986
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ (or any older Python that has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore

# Enabling CredSSP to fix double hop install issues with SQL (RL 24/11/2017)
ansible_winrm_transport: credssp

become_method: runas

Our gotcha was using CredSSP as opposed to credssp (lowercase) in the ansible file above.