Thursday, Strategy, 14:00

• Convener / Facilitator - Unknown
• Note taker - Non-existent

If so, take a look at the windows_ad cookbook on Supermarket. It's actively maintained by Texas A&M.

Why? In trying to make things more secure, a scenario was missed. Basically, you have to use the lowest common denominator for security settings if you have a mixed environment. If you only boothstrapping windows nodes from other windows nodes, you can use the default winrm security settings. The minute you change to AllowUnencrypted traffic for the server, all the clients need to switch to using that.

There is a fix going out this evening. Now, in order for negotiate security and built in encryption to be leveraged, you need to specify the user name in the domain\user pattern. This will tell knife winrm to use the negotiate, which will end up using kerberos or ntlm for auth and use the built in encryption in the winrm protocol for payload data. If you just use the username with knife winrm, then it'll default to basic auth with unencrypted traffic. It is then up to you to set up SSL on the winrm endpoints.

On other platforms, there are native package repositories. There is a chocolatey package repo, but someone already is squatting on (chef-client)[https://chocolatey.org/packages/chef-client] in that repository.

Create your own repo and packages

Use Chef to register scheduled tasks to update chef-client.