WinRM negociation hangs forever after installing Active Directory Services

[0xfalafel]

Overview

When vagrant is used to install Active Directory on a Windows Server. The connection will hang forever at the winrmshell Transport: negotiate step after the command Install-ADDSForest.

It seems to be an old "know bug", with workarounds, that was never reported.

Debug output

https://gist.github.com/0xfalafel/1568c6da17893e4fd22f59b739fcf47a

Vagrant hangs forever at the end of the provisioning.ps1 script.

Expected behavior

The installation should continue to the next step after the provisioning script.

Actual behavior

The provisioning script never returns and hangs after the Install-ADDSForest powershell command.

Workaround

There is a google group discussion that mention as a workaround to change the WinRM configuration:

You can add the following lines to your Vagrantfile configuration:

cfg.winrm.transport = :plaintext
cfg.winrm.basic_auth_only = true

Reproduction information

To test it with an actual project. You can test this repository https://github.com/bitfrickler/vagrant-active-directory-2016/tree/master, and remove the lines 19:20 of the Vagrantfile.

Otherwise, a minimal configuration is provided below.

Vagrant version

❯ vagrant -v       
Vagrant 2.4.1

Host operating system

A Linux distribution based on Ubuntu 22.04.

❯ cat /etc/os-release 
PRETTY_NAME="elementary OS 7.1 Horus"
NAME="elementary OS"
CPE_NAME="cpe:/o:elementary:elementary_os:7.1"
VERSION_ID="7.1"
VERSION="7.1 Horus"
VERSION_CODENAME=horus
ID=elementary
ID_LIKE="ubuntu debian"
HOME_URL="https://elementary.io/"
DOCUMENTATION_URL="https://elementary.io/docs/learning-the-basics"
SUPPORT_URL="https://elementary.io/support"
BUG_REPORT_URL="https://docs.elementary.io/contributor-guide/feedback/reporting-issues"
PRIVACY_POLICY_URL="https://elementary.io/privacy-policy"
UBUNTU_CODENAME=jammy
UBUNTU_PRETTY_NAME="Ubuntu 22.04.3 LTS"
UBUNTU_NAME="Ubuntu"
UBUNTU_VERSION_ID="22.04"
UBUNTU_VERSION="22.04.3 LTS (Jammy Jellyfish)"
UBUNTU_VERSION_CODENAME=jammy

Guest operating system

Windows 2022 server

config.vm.box = "StefanScherer/windows_2022"

Steps to reproduce

1. Paste the provided Vagrantfile and provision.ps1 script in a folder.
2. Run vagrant up in the folder.
3. Vagrant hangs at the winrm negotiation.

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|

  # Base box image
  config.vm.box = "StefanScherer/windows_2022"

  # Uncomment the two following config lines for a workaround

  # use the plaintext WinRM transport and force it to use basic authentication.
  # NB this is needed because the default negotiate transport stops working
  #    after the domain controller is installed.
  #    see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4
  # config.winrm.transport = :plaintext
  # config.winrm.basic_auth_only = true


  # Provision the VM
  config.vm.provision "shell", path: "provision.ps1", privileged: false
  config.vm.provision "shell", reboot: true # <-- this step is never reached
end

provision.ps1

# Install Active Directory Domain Services
if ((Add-WindowsFeature AD-Domain-Services -IncludeManagementTools).Success -eq 'True') {
    Write-Host "[+] Installed Active Directory Domain Services."
} else {
    Write-Error "[-] Failed to install Active Directory Domain Services." -Category NotInstalled
}

# Change the password of the local admin
$adminPass = ConvertTo-SecureString "GrignotsForever<3" -AsPlainText -Force
$admin = Get-LocalUser -Name Administrator
$admin | Set-LocalUser -Password $adminPass
Write-Host "[+] Uptaded local admin password" # This is required to setup the Active Directory

# Create a Forest
if ((gwmi win32_computersystem).partofdomain -eq $true) {
    Write-Host "[*] domain is already installed"
} else {
    $safeModePass = ConvertTo-SecureString "GrignotsForever<3" -AsPlainText -Force
    Install-ADDSForest -DomainName 'poudlard.wizard' -InstallDNS -SafeModeAdministratorPassword $safeModePass -Force -NoRebootOnCompletion
}