##Introduction##

I’m doing a lot of Orchestrator type work at the moment and recently found a need to add a Powershell host to my itinerary of plugins that are available for use in Orchestrator. This allows you to run Powershell scripts from a dedicated server that are initiated by Orchestrator workflows.

A quick read through of the docs make the task appear straight forward, yet it is fraught with some issues and took a lot longer than expected to complete.

Below is what ended up working for me in my environment.

##Objective##

  • Adding a Windows 2012 R2 server as vCO - Powershell host using Kerberos over HTTP

##Infrastructure setup in this example##

  • vRealize Orchestrator is embedded within the vRealize Automation appliance
  • The Powershell host to be used is the vRealize IaaS server

##Assumptions##

You have root SSH access to your vCO (in this case the vRA Appliance) You have administrative privilege to the Windows 2012 R2 server that is to be the Powershell host

##Steps to success##

  1. On the Windows host that will be the Powershell host used by Orchestrator

From an elavated Administrator command prompt:

To create a winrm listener and open any required firewall ports

winrm quickconfig

To enable kerberos authentication

winrm set winrm/config/service/auth @{Kerberos=”true”}
winrm set winrm/config/service @{AllowUnencrypted=”true”}

NOTE: The above line HAS to be set for this to work.

winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”2048"}

OR

From an elavated Administrator Powershell prompt:

To create a winrm listener and open any required firewall ports

winrm quickconfig

To enable kerberos authentication

winrm set winrm/config/service/auth '@{Kerberos=”true”}'
winrm set winrm/config/service '@{AllowUnencrypted=”true”}'

NOTE: The above line HAS to be set for this to work.

winrm set winrm/config/winrs '@{MaxMemoryPerShellMB=”2048″}'
  1. On the vCO server (vRealize Automation Appliance SSH console)

    mv /etc/krb5.conf /etc/krb5.conf.old

The above is required because when restarting vCO I noticed that this file was read for some reason. We want it to read the file in /usr/java/jre-vmware/lib/security/

vi /usr/java/jre-vmware/lib/security/krb5.conf

Type i and paste the following, replacing your FQDN where necessary:

	[libdefaults]
	  default_realm = FQDN.IN.CAPS
	  udp_preference_limit = 1
	[realms]
	   FQDN.IN.CAPS = {
		 kdc = domaincontroller.fqdn.in.lowercase
		 default_domain = fqdn.in.lowercase
	   }
	[domain_realm]
	.fqdn.in.lowercase = FQDN.IN.CAPS
	fqdn.in.lowercase = FQDN.IN.CAPS  
	

NOTE: Ensure you abide by the case sensitivity and line formatting

Save and exit the file (type ‘:wq’)

  1. Alter the permissions

    chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

  2. Restart the vCO server

Close any vCO sessions then;

service vco-server restart  

NOTE: The service restarts fairly quickly, but takes a few minutes to be available via the url

  1. Log into vCO as normal
  2. Run the “Add a Powershell host” workflow
  3. Run through the wizard ensuring you select Kerberos
  4. When using Shared Session, ensure you use [email protected] as the user name
  5. Submit the workflow
  6. Green tick success!

##Troubleshooting##

I hit a number of problems getting this to work and in order to assist my endeavours I used vCO server log to see what was happening.

I recommend that if you run into any problems that you run the following from the vCO console;

tail -f /var/log/vmware/vco/app-server/server.log  

By doing so it was possible so to see, in realtime, any issues that were being recorded on the vCO as I was adding the Powershell host. It was possible to identify any issues as things went along.

Also remember that ‘ grep’ is your friend should you need to locate specific errors in the server.log. For example;
cat /var/log/vmware/vco/app-server/server.log | grep KRB  

If you have any issues, questions or comments feel free to post below.

##Links##

My journey started at this link. A great set blog posts and blog by MW Preston
My First vCenter Orchestrator Workflow – Part 4 – A look at the Powershell Plug-in Kerberos authentication for the PowerShell plugin in vCO 5.5 Configure the Active Directory Plug-In as an Endpoint Configure Kerberos Authentication Adding the power shell host to vRealize Orchestrator fails with the error: Cannot get kdc for realm (2036986) Error Adding Powershell Host to vCO 5.5 Appliance