jatb
nanner.ninja
nanner.ninja

vRealize Orchestrator 7.4 – Powershell host (Multi Domain) (HTTPS) (Kerberos)

by |Published -Updated

Recently I was working with a customer who was having an issue adding a powershell host to vRO from a domain that vRO was not a part of so I decided to take this into my home lab to reproduce.

What I used in my repro

  • Domains – ilt.local & nanner.ninja
  • DCs & CAs – ad01.ilt.local & ad01.nanner.ninja
  • Powershell Hosts – pshost.ilt.local & pshost.nanner.ninja
  • 7.4 vRealize Orchestrator (Embedded with vRealize Automation)
  • Domain user that is a part of “Remote Management Users” group – pshost 

Powershell Host Setup (pshost.nanner.ninja)

Enable Power Shell Remoting

C:\> Enable-PSRemoting

Import Certificate

A SSL cert is required for HTTPS.  Here we pull a cert from our CA (ad01.nanner.ninja)

Now we should have a certificate listed in the Personal store.

Configure HTTPS Listener

C:\>winrm quickconfig -transport:https

Verify the listener settings.

C:\> WinRM e winrm/config/listener

Double click your cert to see the thumbprint to compare to the previous command.

vRealize Orchestrator Setup

Preparing KRB5.conf

You can find krb5.conf in 2 places on the vRA / vRO appliances.

Embedded vRO = /etc/krb5.conf
Standalone vRO = /usr/java/jre-vmware/lib/security/krb5.conf
**If you are running Embedded you should not have a krb5.conf in /usr/java/jre-vmware/lib/security/**

Your krb5.conf should look like this in a multi domain senario

[libdefaults]
default_realm = NANNER.NINJA
udp_preference_limit = 1 
[realms]
NANNER.NINJA = {
kdc = ad01.nanner.ninja
default_domain = nanner.ninja
} 
ILT.LOCAL = {
kdc = ad01.ilt.local
default_domain = ilt.local
}
[domain_realm] 
.nanner.ninja=NANNER.NINJA
nanner.ninja=NANNER.NINJA
.ilt.local=ILT.LOCAL
ilt.local=ILT.LOCAL
[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

Run the “Add a Powershell host” workflow

Right Click > Run on “Add a PowerShell host” workflow.

Name = Unique name for the PowerShell host in vRO
Host / IP = FQDN of the PS host.  *Must use FQDN for kerberos to work*
Port = 5986

Session = Shared
User name = User with Remote Management permissions
Password = password

We see the Powershell host added successfully. 

You can also verify the certificate was imported to vRO properly via the vRO control center page.  “https://<vrafqdn>:8283/vco-controlcenter” > Certificates.

Helpful links

Leave a comment

Your email address will not be published. Required fields are marked *