How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO (SKKB1009)

Update Log:
12/02/2016 – Updated “Editing the Krb5.conf file” chapter.

 

Introduction

In this post we are going to take a look at the configuration needed in order to add PowerShell hosts from multiple domains using Kerberos to the same vCenter Orchestrator (vCO)/vRealize Orchestrator (vRO) Appliance.

 

Lab Environment

The full lab logical design can be seen HERE.

 

Editing the Krb5.conf file

The lab consists of two domains with a parent-child relationship: vmware.com and support.vmware.com. 
Our vRO is located in the vmwre.com domain. We want to add two powershell hosts from both domains using Kerberos Authentication.
First we need to edit the Kerberos of the appliance. In our case the files should look like this:

vco-a-01:~ # vi /usr/java/jre-vmware/lib/security/krb5.conf
[libdefaults]
default_realm = VMWARE.COM
udp_preference_limit = 1
[realms]
VMWARE.COM = {
kdc = lan1dc1.vmware.com
admin_server = lan1dc1.vmware.com
default_domain = vmware.com
}
SUPPORT.VMWARE.COM = {
kdc = lan2dc1.support.vmware.com
admin_server = lan2dc1.support.vmware.com
default_domain = support.vmware.com
}
[domain_realm]
.vmware.com=VMWARE.COM
vmware.com=VMWARE.COM
.support.vmware.com=SUPPORT.VMWARE.COM
support.vmware.com=SUPPORT.VMWARE.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

If you are working with the vRA Embedded vRO the file is located in /ect/krb5.conf.

You might add additional domains as you see fit. Note than an offten typo is domain_realms instead of domain_realm.

If you have created new krb5.conf file make sure to set the owner :

# chown root:root /usr/java/jre-vmware/lib/security/krb5.conf

Assign permissions: (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.

# chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

After you have edited the krb5.conf file either reboot the appliance or restart the vco-server service:

# Service vco-server restart

For some common mistakes when editing files which can lead to malformation and wrong encoding, visit: Wrong encoding or formatting of Linux configuration files can cause problems in VMware Appliances

 

Adding the PowerShell hosts

Open vRO and run the Add a PowerShell host workflow.

If you haven’t edited the file correctly you might receive the following error/exception:

No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63) – No service creds)) (Dynamic Script Module name : addPowerShellHost#16)

Note that you will receive this or similar errors if you are not using the vRO Powershell Plug-in version 1.0.6.2283945 or above. The multi-domain (cross-domain) Kerberos authentication doesn’t work in vRO if you are using lower version of the plugin.

Special Thanks to Ivo Gaydajiev

Final Step

If all went well, go grab a beer.

Leave a Reply

Your email address will not be published. Required fields are marked *