Note: This plugin is only compatible with vagrant >= 1.7.4. Future versions of Vagrant will provide this functionality natively.

A Vagrant communicator that uses the winrm-s gem to communicate over winrm. Notably, allows for SSPI authentication of domain accounts when using a Windows host.


$ vagrant plugin install vagrant-winrm-s

Or, to install and test a locally-developed version:

$ rake install


Vargrant-WinRM-S uses the :winrm communicator built in to vagrant as its base, so existing Vagrantfiles should continue to work with this plugin.

The extra configuration value that gets exposed is config.winrm.transport. The default transport is :plaintext. This is for basic authentication of local accounts over HTTP. The plugin exposes the :sspinegotiate transport from the winrm-s gem in order to do Negotiate authentication of domain accounts (still only over HTTP).

An example Vagrant communicator block for :sspinegotiate would look something like:

config.vm.provision "shell", inline: "echo Hello, World!"
config.vm.communicator = :winrm
config.winrm.username = "domain\\auser"
config.winrm.password = "[email protected]!"
config.winrm.transport = :sspinegotiate

What about the SSL transport?

The :ssl transport is available and can be used to authenticate local accounts. Vagrant supports SSL with/without self-signed certs out of the box as of 1.7.3. vagrant-winrm-s is no longer necessary to use this transport.

Just ensure you set config.winrm.ssl_peer_verification to false for self-signed certs.

Setting up your server

For authentication of local accounts over HTTP, the winrm quickconfig command should suffice. This will enable the HTTP listener for basic authentication.

In order to connect via the :plaintext transport, you should ensure that winrm/config/service/auth/Basic and winrm/config/service/AllowUnencrypted are enabled.

winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}

For the :sspinegotiate transport, ensure winrm/config/service/auth/Negotiate is true and winrm/config/service/AllowUnencrypted is false.

winrm set winrm/config/service/auth @{Negotiate="true"}
winrm set winrm/config/service @{AllowUnencrypted="false"}

See also:


  1. Fork it ( )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request