Multiple PowerShell Hosts in different forests


vCo 5.5

Powershell plugin

I'm trying to run some PowerShells cripts from vRO, all working OK for the main.

However, I'm trying to add a 2nd powershell host exactly the same way I've added the first so i can run MS AD cmdlet scripts against our external forest, but have run into issues which I'm guessing are due to the way I've got my krb5.conf file set up?

the error i get is:

"No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))) (Dynamic Script Module name : addPowerShellHost#16)"

I've triple checked the credentials and know they are correct. I've also swapped out the krb5.conf file so each forest is the only entity included and I can add each PowerShell host separately without issue. Here's my krb5.con file with the 2 forests added.


   default_realm = INTERNAL.NET

   udp_preference_limit = 1

   forwardable = true



        kdc = dc-01.internal.net

        default_domain = internal.net

       admin_server = dc-01.internal.net



        kdc = dc-01.external.net

       default_domain = external.net

       admin_server = dc-01.external.net








    kdc = FILE:/var/log/krb5/krb5kdc.log

    admin_server = FILE:/var/log/krb5/kadmind.log


can anyone advise?

0 Kudos
6 Replies

Did you reboot after you made any changes to the krb5.conf?  Also where is your krb5.conf file located?

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos

yes rebooted several times. krb5 file is in /usr/java/jre-vmware/lib/security

kerberos works fine if i just have the 1 realm, doesn't matter which one, auth to both works ok separately. its just when i try to combine them.

0 Kudos

same problem on same version.

did you find a solution ?

0 Kudos

I had this problem before and I think it's a limitation of the plugin but hopefully someone from VMware can confirm/deny. In my case I used a single Powershell node as a Jump-node to execute a script on which would use CredSSP to jump sessions onto other nodes (in other domains if the trusts & suitable config were in place)

It worked well enough since our target was just to use Advanced services as the trigger for work / deployments at the Windows machine level.

I think one of the forum guys from VMware had posted that there was a limitation in the plugin but that it was to be fixed... Perhaps there's a Tech preview by now with this fixed in it?

Anyway, HTH


--EDIT --

Found the link to the post I read this in

Re: krb5.conf, vCO, multiple domains and powershell hosts?

0 Kudos
VMware Employee
VMware Employee

i can confirm that adding hosts from different domains works. I have tested with domains which have parent-child relationship (e.g. [vmware.com] and [support.vmware.com]). I haven't tested with domains which are not in a parent-child relationship. This functionality was introduced in vRO Powershell Plug-in version or above.

The test i did is described here:

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO


CredSSP is a viable solution. I've described it here:

Using CredSSP with the vCO PowerShell Plugin


Few questions:

-     When you are adding a PS Host form the second domain are you using a username from that same domain?

-     Are you using the vRA embedded vRO ?

Best Regards,

Spas Kaloferov

0 Kudos


please help me if any one got this error !!

I am trying to add Powershell  host from different domain. I have one way trust between them so domain abc.com can trust Domain xyz.com. i have given admin privileges to a Domain  user of xyz.com on a Powersell host which is part of Domain abc.com.

when I am trying to add the powershell host of abc.com to VRO with user getting error like this.

I am using kerebrose authentication and user user1@xyz.com which has admin rights of abc.com Powershell host(because of one way trust i gave the admin privlages)


send message on http:/host:5985/wsman error , document in <?xml version="1.0" encoding="UTF-8"?>

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">


    <a:To xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://host:5985/wsman</a:To>

    <a:ReplyTo xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">

      <a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>


    <w:MaxEnvelopeSize xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">153600</w:MaxEnvelopeSize>

    <a:MessageID xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">uuid:BFE32E77-72D6-4CC3-8AAA-4C26D6AE0463</a:MessageID>

    <w:Locale xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <p:DataLocale xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" mustUnderstand="false" xml:lang="en-US"/>

    <w:OperationTimeout xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">PT180.000S</w:OperationTimeout>

    <a:Action xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>

    <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>

    <w:OptionSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">

      <w:Option Name="WINRS_NOPROFILE">FALSE</w:Option>

      <w:Option Name="WINRS_CODEPAGE">437</w:Option>




    <rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">


      <rsp:OutputStreams>stdout stderr</rsp:OutputStreams>




, document out [EMPTY], (Dynamic Script Module name : addPowerShellHost#16)

0 Kudos