Hi all,
so I'm tinkering around with the PowerShell plugin.
I successful connected Orchestrator to a Win2k8R2 via a shared Kerberos connection (http) using administrator@mylab.local however I also created a DomainUser (member of Domain-Admin group) called power@mylab.local but using this user as the one that connects to the powershell host fails with Access Denied
I checked from another Windows host in the domain that I can use winrm with the power user:
winrm id -r:scripting.mylab.local -a:Kerberos -u:power@mylab.local
So the question is: What do I need to do to get the power user to be able to be configured for the Shared Connection
Error message in Orchestrator
Cannot find [XPath: //w:Selector[@Name='ShellId']] in <?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action>
<a:MessageID>uuid:C0E368FE-D62F-47E6-B637-BFB956813C31</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:F2AE72F0-1C6D-4FCE-9BA7-86882871F19B</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Receiver</s:Value>
<s:Subcode>
<s:Value>w:InternalError</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">Access is denied.</s:Text>
</s:Reason>
<s:Detail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2147942405" Machine="scripting.mylab.local">
<f:Message>
<f:ProviderFault provider="Shell cmd plugin" path="%systemroot%\system32\winrscmd.dll">Access is denied.</f:ProviderFault>
</f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
(Dynamic Script Module name : addPowerShellHost#16)
WinRM config (scripting.mylab.local):
Kerberos Config (vro.mylab.local) /usr/java/jre-vmware/lib/security/krb5.conf
[libdefaults]
default_realm = MYLAB.LOCAL
udp_preferences_limit = 1
[realms]
MYLAB.LOCAL = {
kdc = addns.mylab.local
default_domain = mylab.local
}
[domain_realms]
.mylab.local=MYLAB.LOCAL
mylab.local=MYLAB.LOCAL
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
HI,
Normal the following groups have remote power shell execution access:
I'd suggest to eother add the user to those groups or run [Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI ] and add it here explicitly.
If this doens't work i would suggest to grant permissions to access: %systemroot%\system32\winrscmd.dll. I would suggest to give your user permissions to the %systemroot% folder, the system32 folder and the winrscmd.dll file.
Another thing you can do is to login to to windows and run with "working" user and "non-working" user [cmd > whoami /all]. Compare the output and i will suggest to add the "non-working" user to the same groups as the "working" user. Also you might assign same privileges.
I see that you have found one of my articles below so i do not think it is something connected with the vCO config or winrm.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
UPDATE
I tied (in vain):
Just to recap:
HI,
Normal the following groups have remote power shell execution access:
I'd suggest to eother add the user to those groups or run [Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI ] and add it here explicitly.
If this doens't work i would suggest to grant permissions to access: %systemroot%\system32\winrscmd.dll. I would suggest to give your user permissions to the %systemroot% folder, the system32 folder and the winrscmd.dll file.
Another thing you can do is to login to to windows and run with "working" user and "non-working" user [cmd > whoami /all]. Compare the output and i will suggest to add the "non-working" user to the same groups as the "working" user. Also you might assign same privileges.
I see that you have found one of my articles below so i do not think it is something connected with the vCO config or winrm.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
You can try testing powershell remote access using winrs client
winrs -r:scripting.mylab.local -u:power@mylab.local powershell $host
Here an example of adding power shell host with non-administrator user. the use is called PSUser@vmware.com and is member of the BUILDIN\Administrators security group (not domain admins).
If you do not added it to appropriate groups you might receive error like yours or like this one:
Unnauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16)
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
Thanks
....cant test ATM directly...will do tonight. But question....Im using http....could that also be an issue?
HI,
nope. HTTP works also.Just make sure to add the user in question to the BUILDIN\Administrators group . This is the only way it will work for this particular vCO scenario. I''ve prepared a blog post on this and will describe there in more details.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
So after testing this, it turened out to be related to my domain. As I suspected it was a windows problem, however i was due to my domain setup. Whatever happend with my AD controller, after setting up a new domain and testing it again it worked out of the box and without as much stuff as I put in the first place.
Thanks everyone.
This is the WINRM settup you need:
And the User as described in the SpasKaloferov setup.
HI,
That's great. Here the detailed post on the topic:
Adding vCO Powershell Host with account other than the default domain administrator account
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect