Adding a vRO PowerShell Host – Kerberos Configuration

Hey all, thanks for stopping by!

Here is a quick post of issues I ran into and changes I made to successfully add a PowerShell host to my vRealize Orchestrator (vRO) configuration. Now, this has been covered at length by a few posts provided in the resources section, so review them first as they may solve your problems. This post addresses the problems I saw in my lab.

  1. List of errors I ran into in vRO when running the ‘Add PowerShell Host’ workflow:
    Unauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16
  2. Cannot locate KDC

Authentication Types:
One of the first things you will notice is that there are (2) authentication types you can specify when running the “Add a PowerShell host” workflow.

  1. Basic (Used this for local accounts created on the PowerShell Host)
    • The only way I could get this to work was to use a local account on the machine. Even though the Active Directory plug-in is installed and configured, I was unable to use an AD account with basic authentication. My guess is the PowerShell plug-in doesn’t leverage the AD plugin for authentication (I may also be missing something, please comment if so).
    • Errors received when using a DOMAIN account:
      Unauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16
    • NOTE: When I used a LOCAL account on the PowerShell host, the workflow successfully added the host.
  2. Kerberos (Had to use this for Active Directory Accounts)
    I wanted to use an account I could manage via Active Directory and Group Policy so a local account wasn’t an option.

    • In order to configure vRO for Kerberos, the krb5.conf configuration file had to be added to the vRO Appliance.

Resources:
First, give these a shot and see if they take care of your issues. These posts helped push me in the right direction:

  1. http://blog.mwpreston.net/2013/12/12/kerberos-authentication-for-the-powershell-plugin-in-vco-5-5/
  2. http://www.definit.co.uk/2014/07/configuring-vcenter-orchestrator-vco-with-powershell-over-https-with-kerberos-authentication/
  3. http://kaloferov.com/blog/adding-vco-powershell-host-with-account-other-than-the-default-domain-administrator-account/

Here is the basic process I had to follow to get this working in my lab:

  1. Configure winRM on the PowerShell host
  2. Add the required krb5.conf file. See resource 1 above.
  3. Restart the vco-service:
    1. SSH to the vRO Appliance
    2. /etc/init.d/vco-server restart
  4. Run the ‘Add PowerShell Host’ Workflow using the correct username convention. Format the account as “user@domain.com”.

Here is an example of my krb5.conf configuration for ‘valcolabs.lab’.

[libdefaults] default_realm = VALCOLABS.LAB
[realms] VALCOLABS.LAB = {
kdc = uber-dc01.valcolabs.lab
default_domain = valcolabs.lab
}
[domain_realms] .valcolabs.lab=VALCOLABS.LAB
valcolabs.lab=VALCOLABS.LAB
[logging] kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

Using “domain\user” resulted in an error stating that the KDC could not be contacted.

bad_user_format

Error when using down-level login name: “domain\user”

bad_user_format_error

Correct format: Using the user principal name (UPN): “user@domain.com”

upn_correct_format

Hopefully this saves you some frustration.

Martin

Leave a Reply

Your email address will not be published. Required fields are marked *

*