terraform windows server 2016 in Azure and domain join issue logging in to domain with network level authentication error message

huangapple go评论69阅读模式
英文:

terraform windows server 2016 in Azure and domain join issue logging in to domain with network level authentication error message

问题

我成功地让一个Windows Server 2016启动并加入了域。然而,当我尝试远程桌面登录时,它报错说网络级别身份验证出错。大概是关于域控制器无法联系到执行网络级别身份验证(NLA)所需的问题。

我看到了一些关于解决方法的视频,链接为https://www.bing.com/videos/search?q=requires+network+level+authentication+error&docid=608000415751557665&mid=8CE580438CBAEAC747AC8CE580438CBAEAC747AC&view=detail&FORM=VIRE。

有没有办法在使用terraform的时候提前处理这个问题?

我使用以下代码加入域:

    name = "domjoin"
    virtual_machine_id = azurerm_windows_virtual_machine.vm_windows_vm.id
    publisher = "Microsoft.Compute"
    type = "JsonADDomainExtension"
    type_handler_version = "1.3"
    settings = <<SETTINGS
    {
    "Name": "mydomain.com",
    "User": "mydomain.com\\myuser",
    "Restart": "true",
    "Options": "3"
    }
    SETTINGS

    protected_settings = <<PROTECTED_SETTINGS
    {
    "Password": "${var.admin_password}"
    }
    PROTECTED_SETTINGS
    depends_on = [ azurerm_windows_virtual_machine.vm_windows_vm ]

在这个domjoin的代码中,我是否需要添加一些选项?

我可以用本地管理员账户成功登录。我看到服务器已经连接到域。对域进行的nslookup显示了一个IP地址,该地址可以通过防火墙规则访问,所以它能够连接到域控制器。

英文:

I successfully got a windows server 2016 to come up and join the domain. However, when I go to remote desktop login it throws an error about network level authentication. Something about domain controller cannot be contacted to perform Network Level Authentication (NLA).

I saw some video on work arounds at https://www.bing.com/videos/search?q=requires+network+level+authentication+error&amp;docid=608000415751557665&amp;mid=8CE580438CBAEAC747AC8CE580438CBAEAC747AC&amp;view=detail&amp;FORM=VIRE.

Is there a way to address this with terraform and up front instead?

To join domain I am using:

    name = &quot;domjoin&quot;
    virtual_machine_id = azurerm_windows_virtual_machine.vm_windows_vm.id
    publisher = &quot;Microsoft.Compute&quot;
    type = &quot;JsonADDomainExtension&quot;
    type_handler_version = &quot;1.3&quot;
    settings = &lt;&lt;SETTINGS
    {
    &quot;Name&quot;: &quot;mydomain.com&quot;,
    &quot;User&quot;: &quot;mydomain.com\\myuser&quot;,
    &quot;Restart&quot;: &quot;true&quot;,
    &quot;Options&quot;: &quot;3&quot;
    }
    SETTINGS

    protected_settings = &lt;&lt;PROTECTED_SETTINGS
    {
    &quot;Password&quot;: &quot;${var.admin_password}&quot;
    }
    PROTECTED_SETTINGS
    depends_on = [ azurerm_windows_virtual_machine.vm_windows_vm ]

Is there an option I should add in this domjoin code perhaps?

I can log in with my local admin account just fine. I see the server is connected to the domain. A nslookup on the domain shows an ip address that was configured to be reachable by firewall rules, so it can reach the domain controller.

答案1

得分: 1

看起来可能有一些设置可以帮助解决问题,详见这里,可能需要的只是在你的domjoin设置块内加入以下内容:

&quot;EnableCredSspSupport&quot;: &quot;true&quot;

你可能还需要在服务器端的注册表中进行一些操作,可以使用remote-exec来完成。

例如,类似以下的操作:

resource &quot;azurerm_windows_virtual_machine&quot; &quot;example&quot; {
  # ... (其他配置)

  provisioner &quot;remote-exec&quot; {
    inline = [
      &quot;echo 更新 Windows...&quot;,
      &quot;powershell.exe -Command \&quot;&amp; {Get-WindowsUpdate -Install}\&quot;&quot;,
      &quot;echo Windows 更新完成。&quot;
    ]

    connection {
      type        = &quot;winrm&quot;
      user        = &quot;adminuser&quot;
      password    = &quot;SuperSecurePassword1234!&quot;
      timeout     = &quot;30m&quot;
    }
  }
}

为了在注册表中设置正确的键,你可能需要在remote-exec块中使用类似以下的命令(我没有验证这段代码):

Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp' -Name 'SecurityLayer' -Value 0

为了使Terraform配置更清晰,我建议使用Powershell脚本的模板,详见这里

希望能帮到你。

英文:

Seems like there might be some settings that could help out, see here, possibly all that is needed might be:
&quot;EnableCredSspSupport&quot;: &quot;true&quot; inside your domjoin settings block.

You might also need to do something with the registry on the server side, which can be done by using remote-exec.

For example something like:

resource &quot;azurerm_windows_virtual_machine&quot; &quot;example&quot; {
  name                  = &quot;example-vm&quot;
  location              = azurerm_resource_group.example.location
  resource_group_name   = azurerm_resource_group.example.name
  network_interface_ids = [azurerm_network_interface.example.id]
  vm_size               = &quot;Standard_DS1_v2&quot;

  storage_image_reference {
    publisher = &quot;MicrosoftWindowsServer&quot;
    offer     = &quot;WindowsServer&quot;
    sku       = &quot;2019-Datacenter&quot;
    version   = &quot;latest&quot;
  }

  storage_os_disk {
    name              = &quot;example-os-disk&quot;
    caching           = &quot;ReadWrite&quot;
    create_option     = &quot;FromImage&quot;
    managed_disk_type = &quot;Standard_LRS&quot;
  }

  os_profile {
    computer_name  = &quot;example-vm&quot;
    admin_username = &quot;adminuser&quot;
    admin_password = &quot;SuperSecurePassword1234!&quot;
  }

  os_profile_windows_config {
    provision_vm_agent = true
  }

  provisioner &quot;remote-exec&quot; {
    inline = [
      &quot;echo Updating Windows...&quot;,
      &quot;powershell.exe -Command \&quot;&amp; {Get-WindowsUpdate -Install}\&quot;&quot;,
      &quot;echo Done updating Windows.&quot;
    ]

    connection {
      type        = &quot;winrm&quot;
      user        = &quot;adminuser&quot;
      password    = &quot;SuperSecurePassword1234!&quot;
      timeout     = &quot;30m&quot;
    }
  }
}

In order to set the correct keys in the registry you might need something like this inside the remote-exec block (I have not validated this code) :

Set-ItemProperty -Path &#39;HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp&#39; -Name &#39;SecurityLayer&#39; -Value 0

In order to make the Terraform config cleaner I would recommend using templates for the Powershell script, see here

Hope this helps

huangapple
  • 本文由 发表于 2023年2月10日 03:36:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/75403604.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定