Home > Blogs > VMware vCenter Orchestrator Blog


[vCO PowerShell plugin] How to set up and use Kerberos authentication

Updated version of vCO PowerShell 1.0.1 plugin presents support for Kerberos authentication. Using Kerberios authentication allows usage of domain users when using WinRM to communicate with PowerShell host.

Prerequisits

WinRM service configured for Kerberos authentication.

  • Make sure that Kerberos authentication is enabled on WinRm service.
winrm g winrm/config/service/auth
  • Use following command to enable it
winrm s winrm/config/service/auth @{Kerberos="true"}
  • Verify connection  with WinRM service using Kerberos.
winrm id -r:hostname.somedomain.com -a:Kerberos -u:domainusername@somedomain.com -p:

Configuring vCO PowerShell Plugin for Kerberos Authentication

krb5.conf file must be created and placed in {ORCHESTRATOR_INSTALATION_FOLDER]/jre/lib/security/krb5.conf.

The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. More details for the format of "krb5.conf" can be found here .http://www.faqs.org/faqs/kerberos-faq/general/section-38.html#b

Sample krb5.conf content may look like the following:

 [libdefaults]
   default_realm = SOMEDOMAIN.COM
   udp_preference_limit = 1
[realms]
   SOMEDOIMAN.COM = {
      kdc = kdc.somedomain.com
      default_domain = somedomain.com
   }
[domain_realms]
.somedomain.com=SOMEDOMAIN.COM
somedomain.com=SOMEDOMAIN.COM

Note : kdc.somedoain.com is the address of the key destribution center for the provided Kerberos realm. Usually it is on the same machime as the domain controller.

PowerShell host configuration

  • Run "Add a PowerShell host workflow"
  • Provide hostname for Host/IP. Kerberos authentication is not supported with IP.
  • Choose WinRM for PowerShell remote host type.
  • New field "Authentication" will appear
  • Choose Kerberos as authentication mechanisym
  • Provide domain user with the following syntax user@DOMAIN.COM.

Powershell_kerberos_hostname


Powershell_kerberos

Powershell_kerberos_username

Troubleshooting guide

  • No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)))
    • The error can be caused by domain/realm mapping problems or it can be the result of a DNS problem where the service principal name is not  being built correctly. Server logs and network traces can be used to determine what service principal is actually being requested.
    • Kerberos authentication cannot be used when the destination is an IP address. Specify a DNS destination
    • Invalid host name.
  • Pre-authentication information was invalid (24)
    • This indicates failure to obtain ticket, possibly due to the client providing the wrong password
  • Clock Skew
    • Time differences are a common factor when dealing with Kerberos configuration. Kerberos requires that all the computers in the environment have system times within 5 minutes of one another. If computers that a client is attempting to use for either initial authentication (the Kerberos server) or resource access (including both the application server and, in a cross-realm environment, an alternate Kerberos server) have a delta greater than 5 minutes from the client computer or from one another, the Kerberos authentication will fail.
  • Cannot get kdc for realm SOMEREALM.COM
    • Check [libdefaults] and [realms] section of krb5.conf for typos.

One thought on “[vCO PowerShell plugin] How to set up and use Kerberos authentication

  1. Vincent Partington

    Hi there,
    I am one of the authors of the Overthere library used in the vCO PowerShell plugin. Nice to see it used in another project!
    Where can I download the source code to your plugin? I am interested to see how you were able to add Kerberos authentication to Overthere.
    Thx! Regards, Vincent.

Comments are closed.