houghtp
Contributor
Contributor

Multiple PowerShell Hosts in different forests

Hi,

vCo 5.5

Powershell plugin 1.0.6.2442318

I'm trying to run some PowerShells cripts from vRO, all working OK for the main.

However, I'm trying to add a 2nd powershell host exactly the same way I've added the first so i can run MS AD cmdlet scripts against our external forest, but have run into issues which I'm guessing are due to the way I've got my krb5.conf file set up?

the error i get is:

"No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))) (Dynamic Script Module name : addPowerShellHost#16)"

I've triple checked the credentials and know they are correct. I've also swapped out the krb5.conf file so each forest is the only entity included and I can add each PowerShell host separately without issue. Here's my krb5.con file with the 2 forests added.

[libdefaults]

   default_realm = INTERNAL.NET

   udp_preference_limit = 1

   forwardable = true

[realms]

    INTERNAL.NET = {

        kdc = dc-01.internal.net

        default_domain = internal.net

       admin_server = dc-01.internal.net

    }

  EXTERNAL.NET = {

        kdc = dc-01.external.net

       default_domain = external.net

       admin_server = dc-01.external.net

    }

[domain_realm]

  .internal.net=INTERNAL.NET

    internal.net=INTERNAL.NET

  .external.net=EXTERNAL.NET

    external.net=EXTERNAL.NET

[logging]

    kdc = FILE:/var/log/krb5/krb5kdc.log

    admin_server = FILE:/var/log/krb5/kadmind.log

    default = SYSLOG:NOTICE:DAEMON

can anyone advise?

0 Kudos
6 Replies
sbeaver
Leadership
Leadership

Did you reboot after you made any changes to the krb5.conf?  Also where is your krb5.conf file located?

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
houghtp
Contributor
Contributor

yes rebooted several times. krb5 file is in /usr/java/jre-vmware/lib/security

kerberos works fine if i just have the 1 realm, doesn't matter which one, auth to both works ok separately. its just when i try to combine them.

0 Kudos
fabd
Contributor
Contributor

same problem on same version.

did you find a solution ?

0 Kudos
eoinbyrne
Expert
Expert

I had this problem before and I think it's a limitation of the plugin but hopefully someone from VMware can confirm/deny. In my case I used a single Powershell node as a Jump-node to execute a script on which would use CredSSP to jump sessions onto other nodes (in other domains if the trusts & suitable config were in place)

It worked well enough since our target was just to use Advanced services as the trigger for work / deployments at the Windows machine level.

I think one of the forum guys from VMware had posted that there was a limitation in the plugin but that it was to be fixed... Perhaps there's a Tech preview by now with this fixed in it?

Anyway, HTH

-Eoin

--EDIT --

Found the link to the post I read this in

Re: krb5.conf, vCO, multiple domains and powershell hosts?

0 Kudos
SpasKaloferov
VMware Employee
VMware Employee

Hi,
i can confirm that adding hosts from different domains works. I have tested with domains which have parent-child relationship (e.g. [vmware.com] and [support.vmware.com]). I haven't tested with domains which are not in a parent-child relationship. This functionality was introduced in vRO Powershell Plug-in version 1.0.6.2283945 or above.

The test i did is described here:

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO

http://kaloferov.com/blog/how-to-add-powershell-hosts-from-multiple-domains-with-kerberos-authentica...

CredSSP is a viable solution. I've described it here:

Using CredSSP with the vCO PowerShell Plugin

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

Few questions:

-     When you are adding a PS Host form the second domain are you using a username from that same domain?

-     Are you using the vRA embedded vRO ?

Best Regards,

Spas Kaloferov

0 Kudos
RahulIT108
Contributor
Contributor

Hi,

please help me if any one got this error !!

I am trying to add Powershell  host from different domain. I have one way trust between them so domain abc.com can trust Domain xyz.com. i have given admin privileges to a Domain  user of xyz.com on a Powersell host which is part of Domain abc.com.

when I am trying to add the powershell host of abc.com to VRO with user getting error like this.

I am using kerebrose authentication and user user1@xyz.com which has admin rights of abc.com Powershell host(because of one way trust i gave the admin privlages)

Error:

send message on http:/host:5985/wsman error , document in <?xml version="1.0" encoding="UTF-8"?>

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">

  <env:Header>

    <a:To xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://host:5985/wsman</a:To>

    <a:ReplyTo xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">

      <a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>

    </a:ReplyTo>

    <w:MaxEnvelopeSize xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">153600</w:MaxEnvelopeSize>

    <a:MessageID xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">uuid:BFE32E77-72D6-4CC3-8AAA-4C26D6AE0463</a:MessageID>

    <w:Locale xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <p:DataLocale xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <w:OperationTimeout xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">PT180.000S</w:OperationTimeout>

    <a:Action xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>

    <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>

    <w:OptionSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">

      <w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>

      <w:Option Name="WINRS_CODEPAGE">437</w:Option>

    </w:OptionSet>

  </env:Header>

  <env:Body>

    <rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">

      <rsp:InputStreams>stdin</rsp:InputStreams>

      <rsp:OutputStreams>stdout stderr</rsp:OutputStreams>

    </rsp:Shell>

  </env:Body>

</env:Envelope>

, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)

0 Kudos