diff --git a/communicator/winrm/communicator.go b/communicator/winrm/communicator.go index 90b9fe915..fa9ee6578 100644 --- a/communicator/winrm/communicator.go +++ b/communicator/winrm/communicator.go @@ -62,6 +62,9 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { params := winrm.DefaultParameters params.Timeout = formatDuration(c.Timeout()) + if c.connInfo.NTLM == true { + params.TransportDecorator = func() winrm.Transporter { return &winrm.ClientNTLM{} } + } client, err := winrm.NewClientWithParameters( c.endpoint, c.connInfo.User, c.connInfo.Password, params) @@ -78,6 +81,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { " Password: %t\n"+ " HTTPS: %t\n"+ " Insecure: %t\n"+ + " NTLM: %t\n"+ " CACert: %t", c.connInfo.Host, c.connInfo.Port, @@ -85,6 +89,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error { c.connInfo.Password != "", c.connInfo.HTTPS, c.connInfo.Insecure, + c.connInfo.NTLM, c.connInfo.CACert != "", )) } @@ -209,6 +214,7 @@ func (c *Communicator) newCopyClient() (*winrmcp.Winrmcp, error) { }, Https: c.connInfo.HTTPS, Insecure: c.connInfo.Insecure, + TransportDecorator: c.client.TransportDecorator, OperationTimeout: c.Timeout(), MaxOperationsPerShell: 15, // lowest common denominator } diff --git a/communicator/winrm/provisioner.go b/communicator/winrm/provisioner.go index 148204245..94e0170e1 100644 --- a/communicator/winrm/provisioner.go +++ b/communicator/winrm/provisioner.go @@ -37,6 +37,7 @@ type connectionInfo struct { Port int HTTPS bool Insecure bool + NTLM bool `mapstructure:"use_ntlm"` CACert string `mapstructure:"cacert"` Timeout string ScriptPath string `mapstructure:"script_path"` diff --git a/terraform/eval_validate.go b/terraform/eval_validate.go index 16bca3587..3e5a84ce6 100644 --- a/terraform/eval_validate.go +++ b/terraform/eval_validate.go @@ -157,6 +157,7 @@ func (n *EvalValidateProvisioner) validateConnConfig(connConfig *ResourceConfig) // For type=winrm only (enforced in winrm communicator) HTTPS interface{} `mapstructure:"https"` Insecure interface{} `mapstructure:"insecure"` + NTLM interface{} `mapstructure:"use_ntlm"` CACert interface{} `mapstructure:"cacert"` } diff --git a/website/docs/provisioners/connection.html.markdown b/website/docs/provisioners/connection.html.markdown index 10954f4d1..b86b2fea4 100644 --- a/website/docs/provisioners/connection.html.markdown +++ b/website/docs/provisioners/connection.html.markdown @@ -92,6 +92,8 @@ provisioner "file" { * `insecure` - Set to `true` to not validate the HTTPS certificate chain. +* `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx). + * `cacert` - The CA certificate to validate against.