Packer: WinRM connection err: http response error: 401 - invalid content type

Created on 6 Apr 2020 · 8Comments · Source: hashicorp/packer

I am trying to build a packer using CIS benchmark hardened image "CIS Microsoft Windows Server 2016 Benchmark v1.1.0.9 Level 1*" however, i am getting below error as;

"WinRM connection err: http response error: 401 - invalid content type"

WinRM is able to connect to packer for non hardened windows image.

Packerlog error-->

2020/04/06 15:55:38 packer: 2020/04/06 15:55:38 [DEBUG] connecting to remote shell using WinRM
2020/04/06 15:55:39 packer: 2020/04/06 15:55:39 [ERROR] connection error: http response error: 401 - invalid content type
2020/04/06 15:55:39 packer: 2020/04/06 15:55:39 [ERROR] WinRM connection err: http response error: 401 - invalid content type

'packer-existing' userdata -->

<powershell>
# swap WinRM on to port 22
Set-Item WSMan:\localhost\Listener\*\Port 22 -Force
Set-Item WSMan:\localhost\Service\AllowUnencrypted True
Set-Item WSMan:\localhost\Service\Auth\Basic True
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -Value 2 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name 'NTLMMinServerSec' -Value 536870912 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="2048"}'
winrm set winrm/config/winrs '@{MaxConcurrentUsers="100"}'
winrm set winrm/config/winrs '@{MaxProcessesPerShell="0"}'
winrm set winrm/config/winrs '@{MaxShellsPerUser="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
winrm set winrm/config/client '@{TrustedHosts="*"}'
Restart-Service WinRm
New-NetFirewallRule -DisplayName "Allow WinRM on 22" -Direction Inbound -Protocol TCP -LocalPort 22

# create a temporary 'packer' user
NET USER packer ******* /add /y
NET LOCALGROUP Administrators packer /add
</powershell>

packer.json -->

"builders": [{
    "type": "amazon-ebs",
    "ami_name": "Windows Server-2016 RCM",
    "instance_type": "r5.2xlarge",
    "region": "eu-west-1",
    "ami_description": "Windows Server-2016 RCM CIS Benchmark Build",
    "force_deregister": true,
    "force_delete_snapshot": true,
    "communicator": "winrm",
    "winrm_timeout": "12h",
    "winrm_username": "Administrator",
    "winrm_port": 22,
    "winrm_use_ntlm": true,
    "user_data_file": "packer-existing",
    "iam_instance_profile": "dev-instance-profile-InstanceProfile-P7313RT89GS5",
    "source_ami_filter": {
      "filters": {
          "name": "CIS Microsoft Windows Server 2016 Benchmark v1.1.0.9 Level 1*"
        },
        "owners": ["679593333241"],
        "most_recent": true
    },

Kindly advise.

communicatowinrm question

Source

sagar89jadhav

All 8 comments

hi @sagar89jadhav thanks for reaching out. Harden images generally pose issues when it comes to connecting via WinRM as there are policies in place to prevent the connection. A user recently ran into a similar issue that may be applicable to you - https://github.com/hashicorp/packer/issues/8658#issuecomment-606845986

Please take a look at the suggestion to see if that resolves the issue for you.

If you end up needing more help with this kind of initial configuration, the mailing list or community forum are generally more useful. Issues opened here on the Packer issue tracker are only viewed by a small handful of developers who work on the tool, and we don't always have the most depth or experience when it comes to custom issues with particular build configurations.

Cheers!

nywilken on 6 Apr 2020

May I ask you which Packer version you're using?

sylviamoss on 6 Apr 2020

Thanks @nywilken. I will go through it and update.

@sylviamoss, packer version is 1.2.4

sagar89jadhav on 6 Apr 2020

@sagar89jadhav I thought you were using another builder so I deleted my previous comment because I was talking about something else. Anyways, have you tried updating your Packer version?

sylviamoss on 7 Apr 2020

@sylviamoss, yes i have upgraded packer from 1.2.4 to 1.5.5 but still getting same error as

2020/04/07 19:28:53 packer-builder-amazon-ebs plugin: [DEBUG] connecting to remote shell using WinRM
2020/04/07 19:28:53 packer-builder-amazon-ebs plugin: [ERROR] connection error: http response error: 401 - invalid content type
2020/04/07 19:28:53 packer-builder-amazon-ebs plugin: [ERROR] WinRM connection err: http response error: 401 - invalid content type

sagar89jadhav on 7 Apr 2020

I think the CIS image requires SSL, meaning you need to set the below option, and you need to have a certificate. I'm adding a basic build of a windows 2016 CIS hardened image to a gist for you. If you don't have a certificate from a CA, you can create a self-signed one (shown in the linked gist), but you'll also have to add "winrm_insecure" to make sure the client doesn't complain about the cert being self-signed.

"winrm_use_ssl": true

Here's a working example: https://gist.github.com/SwampDragons/a0044e88c614a507a533ee9323cf8e0c

Since this is to do with configuration and not a bug with Packer, I'm going to close. But do reach out to the community if you need more help getting set up. Thanks!

SwampDragons on 8 Apr 2020

👍1

Thanks a lot @SwampDragons. I tested the packer userdata and recommended WinRM configuration mentioned in the above link and it worked.
Thanks again for all your support on this.

sagar89jadhav on 9 Apr 2020

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.