VMware Cloud Community
rwtushar
Contributor
Contributor
‎11-19-2015 03:18 AM

Not able to add 2nd Powershell host from another domain

I am using powershell plugin 1.0.6.

below is the content of my krb5.conf, I was able to add the powershell host for the default_realm but now when I try to add the host from the second domain I am getting below error.

No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)) (Dynamic Script Module name : addPowerShellHost#16)

below is my krb5.conf file. not sure what I am missing here.

[libdefaults]
default_realm=ABC.CORP
udp_preference_limit = 1
dns_lookup_kdc = true
[realms]
ABC.CORP = {
kdc = tc2dcad101.abc.corp
kdc = tc2dcad102.abc.corp
admin_server = tc2dcad101.abc.corp
default_domain = abc.corp

}
123.XYZ.PROD = {
kdc = lontc2dc01.123.xyz.prod
kdc = lontc2dc02.123.xyz.prod
admin_server = lontc2dc01.123.xyz.prod
default_domain = 123.xyz.prod

}
[domain_realms]
tc2dcad101..abc.corp=ABC.CORP
tc2dcad102..abc.corp=ABC.CORP
lontc2dc01.123.xyz.prod=123.XYZ.PROD
lontc2dc02.123.xyz.prod=123.XYZ.PROD

[logging]
default = FILE:/var/log/krb5/krb5kdc.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
# default = SYSLOG:NOTICE:DAEMON

Reply
0 Kudos
5 Replies
sbeaver
Leadership
Leadership
‎11-19-2015 07:50 AM

Have to ask...  Did you reboot vRO after you edited the krb5.conf?

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
rwtushar
Contributor
Contributor
‎11-19-2015 07:54 AM

Yes it is rebooted.

one more thing is when I use a user which doesn't exists in the AD then I get a different error which confirms it is talking to AD.

Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
‎11-20-2015 10:56 AM

HI ,

You should use [domain_realm] and not [domain_realms] for a start. You should also have plug-in version 1.0.6.2283945 or above. Check this article for more info:

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO

http://kaloferov.com/blog/how-to-add-powershell-hosts-from-multiple-domains-with-kerberos-authentica...

BR,
Spas Kaloferov

Reply
0 Kudos
rwtushar
Contributor
Contributor
‎12-02-2015 04:52 AM

 

Hello Spas,

 

 

When I use a user which is not in AD I get a different error which confirms the krb5.conf is good. So now I don’t know what level of permissions are required for the user I am using to add the powershell host to VRO.

 

 

Client not found in Kerberos database (6) (Dynamic Script Module name : addPowerShellHost#16)                        

 

 

Thanks,

 

 

Tushar.

 

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee
‎03-07-2016 11:30 PM

hope you were able to resolve your issue.

In case you are still strugling with it I found few typos in the krb5,conf file

[domain_realms]

tc2dcad101..abc.corp=ABC.CORP

tc2dcad102..abc.corp=ABC.CORP

lontc2dc01.123.xyz.prod=123.XYZ.PROD

lontc2dc02.123.xyz.prod=123.XYZ.PROD


should be changed to


[domain_realms]

abc.corp=ABC.CORP

.abc.corp=ABC.CORP

123.xyz.prod=123.XYZ.PROD

.123.xyz.prod=123.XYZ.PROD



'.' - infront of the domain means mach any host from above domain to this rule and use provided REALM


Reply
0 Kudos