Kerberos authentication for the PowerShell plugin in vCO 5.5

1 The ability to have vCO kick off PowerShell scripts is pretty awesome!  And the fact that you can kick these off contextually inside of the vSphere Web Client is even more awesome!  Even more awesome than that, yes, that’s a lot of awesome is the new features offered with vCenter Orchestrator 5.5 – So, I’ve taken the plunge on one of my environments and upgraded.  Since then I’ve been slowly migrating workflows over – one of which utilized the PowerShell plug-in.  Now, since the appliance mode of vCO requires you to do a rip and replace rather than an upgrade (because I’m using the embedded database) I had to reinstall the PS plugin, therefore forcing me to reconfigure the Kerberos settings on vCO.   During this I realized that things are a little bit different than when I first blogged about vCO and PowerShell here.  Below is how I got it to work…

First up is the WinRM setup on your PowerShell host.  This process  hasn’t changed from 5.1, however I’ll still include the steps and commands that need to be run below.  Remember these are to be executed on the Windows box that you wish to run the PowerShell script from.

  • To create a winrm listener and open any required firewall ports
  • winrm quickconfig
  • To enable kerberos authentication
  • winrm set winrm/config/service/auth @{Kerberos=”true”}
  • Allow transfer of unencrypted data
  • winrm set winrm/config/service @{AllowUnencrypted=”true”}
  • Up the max memory per shell – I needed to do this to get things working
  • winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”2048″}

No on to the krb5.conf file – this is where things get a bit different.  In vCO 5.1 we were required to edit the krb5.conf file located in /opt/vmo/jre/lib/security/ – well, if you go looking for that directory on 5.5 you won’t find it.  Instead, we need to create our krb5.conf file in /usr/java/jre-vmware/lib/security/  As far as what goes in the file it is the same and is listed below…(obviosoly substituting your own domain for lab.local and your own dc for the kdc definition).

[libdefaults]
default_realm = LAB.LOCAL
udp_preferences_limit = 1   [realms]
LAB.LOCAL = {
kdc = dc.LAB.LOCAL
default_domain = LAB.LOCAL
}   [domain_realms]
.lab.local=LAB.LOCAL
lab.local=LAB.LOCAL

After you have saved the file in the proper directory we need to modify the permissions.  The following line should get you the proper permissions to get everything working.

chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

Just a few other notes!  You might want to modify your /etc/hosts file and be sure that you are able to resolve the fqdn’s of both your dc and the PowerShell host you plan to use.  Also, when adding the PowerShell host be sure to select Kerberos as your authentication type and enter in your credentials using the ‘[email protected]’ format.

For now, that should get you automating like a champ!

  • Pingback: Automate ALL The Things #vBrownBag Follow Up – vCO Install & Config with Mike Preston (@mwpreston)()

  • Richpo

    Thanks for pulling this together. One Problem I had was I used powershell to run the WinRM. This produces an error message

    “Error: Invalid use of command line. Type “winrm -?” for help.”

    switching back to cmd.exe allowed the commands to run as expected.

    • mwpreston

      Rahul’s comment should have you covered!

  • Rahul

    you need to enclose the option in single quotes if executing from PowerShell:

    winrm set winrm/config/service/auth ‘@{Kerberos=”true”}’
    winrm set winrm/config/service ‘@{AllowUnencrypted=”true”}’

    I encountered one more issue with file /etc/krb5.conf.
    vCO Server was reading values from this file. So I renamed it and my PowerShell host was added successfully with Kerberos Authentication.

    • mwpreston

      thanks so much Rahul – I used the basic command prompt so didn’t run into that – but nice to know!

    • Revelation

      Actually, none of these seem to work for me. I can either input this at in a CMD window, or run Rahul’s version above, it spits out the same error: Syntax Error: input must be of the form {KEY=”VALUE”[;KEY=”VALUE”]}

  • Pingback: Adding a vRO PowerShell Host – Kerberos Configuration | ValCo Labs()