Hi,
I have an old environment with Orchestrator version 7.3.
This environment is connected to domain named: main.contoso.co.il.
I connected to this environment 3 remote powershell sessions (Add a Powershell host).
I can run Powershell script on these hosts without errors.
I have 3 different domains: main.contoso.co.il, mngt.contoso.co.il, dev.contoso - there is no trust between them.
Each host I connect to the old environment are in different domains.
I created a new environment with Orchestrator version 7.5.
This environment is connected to domain named: contoso.co.il.
I try to run "Add a Powershell host" workflow on same hosts like the old environment but receive timeout error:
[2019-05-02 20:20:31.387] [E] Workflow execution stack:
***
item: 'Add a PowerShell host/item8', state: 'failed', business state: 'null', exception: 'Receive timed out (Dynamic Script Module name : addPowerShellHost#19)'
workflow: 'Add a PowerShell host' (EF8180808080808080808080808080803D80808001270557368849c62c352aa82)
| 'attribute': name=errorCode type=string value=Receive timed out (Dynamic Script Module name : addPowerShellHost#19)
| 'attribute': name=sslUrl type=string value=
| 'input': name=name type=string value=Ex3
| 'input': name=type type=string value=WinRM
| 'input': name=transportProtocol type=string value=HTTP
| 'input': name=port type=string value=5985
| 'input': name=hostName type=string value=Ex3.dev.contoso
| 'input': name=username type=string value=admin@dev.contoso
| 'input': name=password type=SecureString value=__NULL__
| 'input': name=sessionMode type=string value=Shared Session
| 'input': name=authentication type=string value=Kerberos
| 'input': name=acceptAllCertificates type=boolean value=false
| 'input': name=shellCodePage type=string value=UTF8
| 'output': name=host type=PowerShell:PowerShellHost value=null
*** End of execution stack.
I also updated /etc/krb5.conf file with other domains (and restart the appliance):
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = CONTOSO.CO.IL
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/trusted_certs
pkinit_cert_match = <EKU>msScLogin
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/likewise/lib64/libpkcs11wrapper.so
# default_realm = EXAMPLE.COM
[realms]
CONTOSO.CO.IL = {
auth_to_local = RULE:[1:$0\$1](^CONTOSO\.CO\.IL\\.*)s/^CONTOSO\.CO\.IL/CONTOSO/
auth_to_local = RULE:[1:$0\$1](^CONTOSO\.CO\.IL\\.*)s/^CONTOSO\.CO\.IL/CONTOSO/
auth_to_local = DEFAULT
}
MNGT.CONTOSO.CO.IL = {
kdc = ad2.mngt.contoso.co.il
admin_server = ad2.mngt.contoso.co.il
}
MAIN.CONTOSO.CO.IL = {
kdc = ad1.main.contoso.co.il
admin_server = ad1.main.contoso.co.il
}
DEV.CONTOSO = {
kdc = ad4.dev.contoso
admin_server = ad4.dev.contoso
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.contoso.co.il = CONTOSO.CO.IL
.mngt.contoso.co.il = MNGT.CONTOSO.CO.IL
.main.contoso.co.il = MAIN.CONTOSO.CO.IL
.dev.contoso = DEV.CONTOSO
[appdefaults]
pam = {
mappings = CONTOSO\\(.*) $1@CONTOSO.CO.IL
forwardable = true
validate = true
}
httpd = {
mappings = CONTOSO\\(.*) $1@CONTOSO.CO.IL
reverse_mappings = (.*)@CONTOSO\.CO\.IL CONTOSO\$1
}
From the appliance of the Orchestrator there are good results for ping commands to other domains and kdc servers.
The strange thing is that I can see any activities in the firewall between the old Orchestrator appliance to the hosts I try to connect in port 5985.
I see only the icmp (ping command) activity in the firewall.
What am I missing?
In the hosts everything are configured correctly (WinRM configurations) because the old Orchestrator is connected to same hosts I try to connect to the new one.
