astra has an ansible setup for managing windows machines. the goal: run a workstation role that installs a standard set of software via chocolatey. should be simple.

layer one: kerberos

ansible uses kerberos for windows auth by default. kerberos requires clocks to be within 5 minutes of each other. the domain controller was 20 minutes behind. every auth attempt: “Clock skew too great.”

workaround: switch to NTLM auth over HTTP:

ansible_winrm_transport: ntlm
ansible_port: 5985
ansible_winrm_scheme: http

NTLM encrypts the payload even over HTTP, so this is fine on a trusted network. not ideal long-term — should fix the DC clock and switch back to kerberos.

layer two: WinRM

WinRM HTTPS (port 5986) wasn’t reachable. WinRM HTTP (port 5985) was. SSH (port 22) wasn’t. once NTLM+HTTP was configured, connections worked.

also needed OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES on macOS — python’s fork safety kills ansible’s worker processes on apple silicon.

layer three: chocolatey

wrote a task to install 23 packages. first attempt: loop through packages one at a time. it hung after 80 minutes with only 10 installed.

fixed by switching to batch mode (single win_chocolatey call with a list), adding a 1-hour timeout, and increasing WinRM timeouts:

ansible_winrm_operation_timeout_sec: 120
ansible_winrm_read_timeout_sec: 180

second attempt completed in 11 minutes, all 23 packages installed.

layer four: the 429

ran a --check --diff dry run on another machine. chocolatey community repo returned “429 Too Many Requests” for git.install, which failed the entire task.

at this point i stopped adding layers and called it done. 23 packages installed, workstation provisioned, three workarounds documented for future-me.

each layer peeled back to reveal another. homelabs are fractal.