Hi,
vCo 5.5
Powershell plugin 1.0.6.2442318
I'm trying to run some PowerShells cripts from vRO, all working OK for the main.
However, I'm trying to add a 2nd powershell host exactly the same way I've added the first so i can run MS AD cmdlet scripts against our external forest, but have run into issues which I'm guessing are due to the way I've got my krb5.conf file set up?
the error i get is:
"No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))) (Dynamic Script Module name : addPowerShellHost#16)"
I've triple checked the credentials and know they are correct. I've also swapped out the krb5.conf file so each forest is the only entity included and I can add each PowerShell host separately without issue. Here's my krb5.con file with the 2 forests added.
[libdefaults]
default_realm = INTERNAL.NET
udp_preference_limit = 1
forwardable = true
[realms]
INTERNAL.NET = {
kdc = dc-01.internal.net
default_domain = internal.net
admin_server = dc-01.internal.net
}
EXTERNAL.NET = {
kdc = dc-01.external.net
default_domain = external.net
admin_server = dc-01.external.net
}
[domain_realm]
.internal.net=INTERNAL.NET
internal.net=INTERNAL.NET
.external.net=EXTERNAL.NET
external.net=EXTERNAL.NET
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
can anyone advise?
Did you reboot after you made any changes to the krb5.conf? Also where is your krb5.conf file located?
yes rebooted several times. krb5 file is in /usr/java/jre-vmware/lib/security
kerberos works fine if i just have the 1 realm, doesn't matter which one, auth to both works ok separately. its just when i try to combine them.
same problem on same version.
did you find a solution ?
I had this problem before and I think it's a limitation of the plugin but hopefully someone from VMware can confirm/deny. In my case I used a single Powershell node as a Jump-node to execute a script on which would use CredSSP to jump sessions onto other nodes (in other domains if the trusts & suitable config were in place)
It worked well enough since our target was just to use Advanced services as the trigger for work / deployments at the Windows machine level.
I think one of the forum guys from VMware had posted that there was a limitation in the plugin but that it was to be fixed... Perhaps there's a Tech preview by now with this fixed in it?
Anyway, HTH
-Eoin
--EDIT --
Found the link to the post I read this in
Hi,
i can confirm that adding hosts from different domains works. I have tested with domains which have parent-child relationship (e.g. [vmware.com] and [support.vmware.com]). I haven't tested with domains which are not in a parent-child relationship. This functionality was introduced in vRO Powershell Plug-in version 1.0.6.2283945 or above.
The test i did is described here:
How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO
CredSSP is a viable solution. I've described it here:
Using CredSSP with the vCO PowerShell Plugin
http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/
Few questions:
- When you are adding a PS Host form the second domain are you using a username from that same domain?
- Are you using the vRA embedded vRO ?
Best Regards,
Spas Kaloferov
Hi,
please help me if any one got this error !!
I am trying to add Powershell host from different domain. I have one way trust between them so domain abc.com can trust Domain xyz.com. i have given admin privileges to a Domain user of xyz.com on a Powersell host which is part of Domain abc.com.
when I am trying to add the powershell host of abc.com to VRO with user getting error like this.
I am using kerebrose authentication and user user1@xyz.com which has admin rights of abc.com Powershell host(because of one way trust i gave the admin privlages)
Error:
send message on http:/host:5985/wsman error , document in <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<a:To xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://host:5985/wsman</a:To>
<a:ReplyTo xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">153600</w:MaxEnvelopeSize>
<a:MessageID xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">uuid:BFE32E77-72D6-4CC3-8AAA-4C26D6AE0463</a:MessageID>
<w:Locale xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>
<p:DataLocale xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>
<w:OperationTimeout xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">PT180.000S</w:OperationTimeout>
<a:Action xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<w:OptionSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>
<w:Option Name="WINRS_CODEPAGE">437</w:Option>
</w:OptionSet>
</env:Header>
<env:Body>
<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">
<rsp:InputStreams>stdin</rsp:InputStreams>
<rsp:OutputStreams>stdout stderr</rsp:OutputStreams>
</rsp:Shell>
</env:Body>
</env:Envelope>
, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)