VMware Cloud Community
JeonCalhoun
Contributor
Contributor

Failure to add PowerShell host using Kerberos in vCO

Hi All,

I'm attempting to add a Powershell host to vCO, and have followed the below article to the letter.

http://blogs.vmware.com/orchestrator/2012/06/vco-powershell-plugin-how-to-set-up-and-use-kerberos-au...

It seems like Kerberos authentication is successful. However, I receive a WS-Man error (see attached). All tests of WinRM are successful.

Does anyone have any suggestions for troubleshooting or fixing this?

Thanks,

Jeon

Reply
0 Kudos
7 Replies
igaydajiev
VMware Employee
VMware Employee

You can check the vCO server.log after reproducing the error for additional information.

If you attach the log I can also take a look.

It will also help if you describe basic steps you have followed.

What I mean is something like :

When does the error appear (my guess is while adding new host)?

Are you using  SharedSession when connecting?

When verifying connection with  WinRM service.

Did you invoked thie following command from vCO server itself?

winrm id -r:hostname.somedomain.com -a:Kerberos -u:domainusername@somedomain.com -p:

Did you tested the WinRm connection with the same user as the one used whean adding PowerShell host trough vCO itself?

Reply
0 Kudos
JeonCalhoun
Contributor
Contributor

Hi,

In this scenario I am executing the 'Add a Powershell host' workflow. I am using WinRM, HTTP, and Kerberos. The error appears as an exception to executing the workflow.

I have used my credentials as well as another set of privileged credentials. I get the same results using Shared Session or Session per User. Some experimenting makes me confident that Kerberos functionality is all and well!

I have also verified WinRM both on the local host as well as from a remote host using my credentials.

I've attached the relevant messages from the server.log (hostname replaced). Below is one message that may be of interest. I personally cannot determine whether this problem is with WinRM or perhaps the Overthere code...

Caused by: org.dom4j.DocumentException: Error on line -1 of document  : Premature end of file. Nested exception: Premature end of file.
at org.dom4j.io.SAXReader.read(SAXReader.java:482)
at org.dom4j.DocumentHelper.parseText(DocumentHelper.java:278)
at com.xebialabs.overthere.cifs.winrm.connector.JdkHttpConnector.sendMessage(JdkHttpConnector.java:117)
... 59 more

Reply
0 Kudos
Bukkit
Contributor
Contributor

I have run into the same error in Orchestrator, and my server.log looks identicle to yours (except for that last Cause by portion about premature end of file). Did you end up finding a solution to this issue? I could really use some help myself.

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee

Actually the log does not reveal a lot.  All I can see there is that for some reason the WinRM  didn't respond (",..  document out [EMPTY] .."). It can be even caused by some firewall settings.

There a few thing that will help me investigate the issue.

1. Parameter value used when invoking the "Add a PowerShell host".   (it can be even a screen shot)

2. krb5.conf .  I would like to validate It's content.

3. Full server log so that I can check for additional errors

4. Result from following command   (if possible executed from  vCO host machine) replacing the hostname, domainname and username with correct values.

         winrm id -r:hostname.somedomain.com -a:Kerberos -u:domainusername@somedomain.com -p:

5. The results from following command executed on PowerShell host.

     winrm g winrm/config

Reply
0 Kudos
JeonCalhoun
Contributor
Contributor

So I managed to determine what my particular issue was. The reason for my issue was that I didn't follow the Using the vCenter Orchestrator Plug-In for Microsoft Windows PowerShell 1.0.1document. I was specifying the use of WinRM with HTTP but did not set the AllowUnecrypted value to True for Client and Service. After doing that I was able to add my host using WinRM with HTTP and Kerberos authentication.

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee

Great,

Thanks for sharing the solution. I will take care to update the troubleshooting section in documentation with this error and it's solution.

Reply
0 Kudos
Bukkit
Contributor
Contributor

Thanks! It turns out that is what I needed in order to add the host correctly.

Reply
0 Kudos