How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO (SKKB1009)

Update Log:
12/02/2016 – Updated “Editing the Krb5.conf file” chapter.

 

Introduction

In this post we are going to take a look at the configuration needed in order to add PowerShell hosts from multiple domains using Kerberos to the same vCenter Orchestrator (vCO)/vRealize Orchestrator (vRO) Appliance.

 

Lab Environment

The full lab logical design can be seen HERE.

 

Editing the Krb5.conf file

The lab consists of two domains with a parent-child relationship: vmware.com and support.vmware.com. 
Our vRO is located in the vmwre.com domain. We want to add two powershell hosts from both domains using Kerberos Authentication.
First we need to edit the Kerberos of the appliance. In our case the files should look like this:

vco-a-01:~ # vi /usr/java/jre-vmware/lib/security/krb5.conf
[libdefaults]
default_realm = VMWARE.COM
udp_preference_limit = 1
[realms]
VMWARE.COM = {
kdc = lan1dc1.vmware.com
admin_server = lan1dc1.vmware.com
default_domain = vmware.com
}
SUPPORT.VMWARE.COM = {
kdc = lan2dc1.support.vmware.com
admin_server = lan2dc1.support.vmware.com
default_domain = support.vmware.com
}
[domain_realm]
.vmware.com=VMWARE.COM
vmware.com=VMWARE.COM
.support.vmware.com=SUPPORT.VMWARE.COM
support.vmware.com=SUPPORT.VMWARE.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

If you are working with the vRA Embedded vRO the file is located in /ect/krb5.conf.

You might add additional domains as you see fit. Note than an offten typo is domain_realms instead of domain_realm.

If you have created new krb5.conf file make sure to set the owner :

# chown root:root /usr/java/jre-vmware/lib/security/krb5.conf

Assign permissions: (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.

# chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

After you have edited the krb5.conf file either reboot the appliance or restart the vco-server service:

# Service vco-server restart

For some common mistakes when editing files which can lead to malformation and wrong encoding, visit: Wrong encoding or formatting of Linux configuration files can cause problems in VMware Appliances

 

Adding the PowerShell hosts

Open vRO and run the Add a PowerShell host workflow.

If you haven’t edited the file correctly you might receive the following error/exception:

No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63) – No service creds)) (Dynamic Script Module name : addPowerShellHost#16)

Note that you will receive this or similar errors if you are not using the vRO Powershell Plug-in version 1.0.6.2283945 or above. The multi-domain (cross-domain) Kerberos authentication doesn’t work in vRO if you are using lower version of the plugin.

Special Thanks to Ivo Gaydajiev

Final Step

If all went well, go grab a beer.

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *