How can Jenkins on Linux do builds to Windows servers securely without A.D.?

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 1 year ago.

  • Author
  • #50252


    I am running Jenkins 1.6 on Linux (CentOS 7.2 specifically). I have several Windows 2012 servers without A.D. I connect to the Windows machines with local credentials. I have configured a development environment with Python and WinRM on the Linux server. For production my configuration will not work because WinRM is not encrypted. If you can encrypt it without A.D., please let me know how.

    How do I securely have Jenkins initiate builds on Windows machines without A.D.? I think my requirement of not having A.D. rules out Kerberos. (This link says that both the Linux and Windows servers must be part of the domain. I read elsewhere that it is inadvisable to join a Linux server to an A.D. domain.) How do I use encryption?

    Pywinrm can be encrypted if I use SSL according to this link. How do I use SSL to use pywinrm? It won't matter if you have another solution for me.

    On the Windows server that I set up with Jenkins, I tried to harden it to simulate production requirements: I used this command (from a command prompt opened as Administrator):

    winrm set winrm/config/service @{AllowUnencrypted="false"}

    But this made my Jenkins builds brake with an error like this:

    winrm.exceptions.UnauthorizedError: 401 Unauthorized

    My Jenkins builds use Python code with the authentication hard coded in them. I cannot have plaintext passwords in production. But
    they do work for interacting with Windows machines (from a Jenkins installation running on Linux).

    My Jenkins build worked until I changed the AllowUnencrypted setting on the Windows sever. So I know the credentials worked. The password must be encrypted during transit across the network from the Jenkins instance to the Windows servers.

    If there is not a way to encrypt WinRM from the Linux/Jenkins server without A.D., what are my options for Jenkins pushing builds (running PowerShell commands) in a secure way in production?

  • #52171

    Don Jones

    So, this isn't a Jenkins support forum, and you may well have better luck asking on a site that works more closely with that product, but I'll give it a whirl.

    If you've only permitted HTTPS traffic for WinRM, then whatever is initiating the connection needs to know to do that. WinRM has no dependencies on AD that I'm aware of; I think you may be conflating two unrelated things. Unfortunately, I don't know anything about pywinrm. I do know that if a node is set up to only receive encrypted connections over WinRM, then that node must have a valid SSL certificate connected to WinRM, and anyone connecting to that node must explicitly do so over SSL.

You must be logged in to reply to this topic.