VMware Cloud Community
Windspirit
Hot Shot
Hot Shot
Jump to solution

Orchestrator 5.5 PowerShell Plugin with Kerberos

Hi all,

so I'm tinkering around with the PowerShell plugin.

I successful connected Orchestrator to a Win2k8R2 via a shared Kerberos connection (http) using administrator@mylab.local however I also created a DomainUser (member of Domain-Admin group) called power@mylab.local but using this user as the one that connects to the powershell host fails with Access Denied

I checked from another Windows host in the domain that I can use winrm with the power user:

winrm id -r:scripting.mylab.local -a:Kerberos -u:power@mylab.local

So the question is: What do I need to do to get the power user to be able to be configured for the Shared Connection

Error message in Orchestrator

Cannot find [XPath: //w:Selector[@Name='ShellId']] in <?xml version="1.0" encoding="UTF-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">

  <s:Header>

    <a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action>

    <a:MessageID>uuid:C0E368FE-D62F-47E6-B637-BFB956813C31</a:MessageID>

    <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>

    <a:RelatesTo>uuid:F2AE72F0-1C6D-4FCE-9BA7-86882871F19B</a:RelatesTo>

  </s:Header>

  <s:Body>

    <s:Fault>

      <s:Code>

        <s:Value>s:Receiver</s:Value>

        <s:Subcode>

          <s:Value>w:InternalError</s:Value>

        </s:Subcode>

      </s:Code>

      <s:Reason>

        <s:Text xml:lang="en-US">Access is denied.</s:Text>

      </s:Reason>

      <s:Detail>

        <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2147942405" Machine="scripting.mylab.local">

          <f:Message>

            <f:ProviderFault provider="Shell cmd plugin" path="%systemroot%\system32\winrscmd.dll">Access is denied.</f:ProviderFault>

          </f:Message>

        </f:WSManFault>

      </s:Detail>

    </s:Fault>

  </s:Body>

</s:Envelope>

(Dynamic Script Module name : addPowerShellHost#16)

WinRM config (scripting.mylab.local):

  • winrm quickconfig
  • winrm set winrm/config/service/auth @{Kerberos=”true”}
  • winrm set winrm/config/service @{AllowUnencrypted=”true”}
  • winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”2048?}
  • winrm s winrm/config/client @{TrustedHosts="vro"}
  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Kerberos Config (vro.mylab.local) /usr/java/jre-vmware/lib/security/krb5.conf

[libdefaults]

        default_realm = MYLAB.LOCAL

udp_preferences_limit = 1

[realms]

        MYLAB.LOCAL = {

                kdc = addns.mylab.local

                default_domain = mylab.local

        }

[domain_realms]

   .mylab.local=MYLAB.LOCAL

    mylab.local=MYLAB.LOCAL

[logging]

    kdc = FILE:/var/log/krb5/krb5kdc.log

    admin_server = FILE:/var/log/krb5/kadmind.log

    default = SYSLOG:NOTICE:DAEMON

1 Solution

Accepted Solutions
SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

HI,

Normal the following groups have remote power shell execution access:

pastedImage_0.png

I'd suggest to eother add the user to those groups or run [Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI ] and add it here explicitly.

If this doens't work i would suggest to grant permissions to access: %systemroot%\system32\winrscmd.dll. I would suggest to give your user permissions to the %systemroot% folder, the system32 folder and the winrscmd.dll file.


Another thing you can do is to login to to windows and run with "working" user and "non-working" user [cmd > whoami /all]. Compare the output and i will suggest to add the "non-working" user to the same groups as the "working" user. Also you might assign same privileges.


I see that you have found one of my articles below so i do not think it is something connected with the vCO config or winrm.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

View solution in original post

Reply
0 Kudos
8 Replies
Windspirit
Hot Shot
Hot Shot
Jump to solution

UPDATE

I tied (in vain):

Just to recap:

  • Kerberos vCO (vRO...we properly have to get used to that now) windows works and I can add a host using the domain administrator account.
  • The "normal" user is member of the DomainAdmins and Admin group
  • winrm auth from another windows computer in the domain using Kerberos with the "normal" user is working
  • vCO app is configured with SSO
  • To add a PowerShell host I use Kerberos, HTTP. Shared session
  • It works for local users that are members of the local Administrator group using basic authentication
Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

HI,

Normal the following groups have remote power shell execution access:

pastedImage_0.png

I'd suggest to eother add the user to those groups or run [Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI ] and add it here explicitly.

If this doens't work i would suggest to grant permissions to access: %systemroot%\system32\winrscmd.dll. I would suggest to give your user permissions to the %systemroot% folder, the system32 folder and the winrscmd.dll file.


Another thing you can do is to login to to windows and run with "working" user and "non-working" user [cmd > whoami /all]. Compare the output and i will suggest to add the "non-working" user to the same groups as the "working" user. Also you might assign same privileges.


I see that you have found one of my articles below so i do not think it is something connected with the vCO config or winrm.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee
Jump to solution

You can try testing powershell remote access using winrs client

winrs -r:scripting.mylab.local -u:power@mylab.local powershell $host

Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

Here an example of adding power shell host with non-administrator user. the use is called PSUser@vmware.com and is member of the BUILDIN\Administrators security group (not domain admins).

pastedImage_65.pngpastedImage_88.png

If you do not added it to appropriate groups you might receive error like yours or like this one:

Unnauthorized Access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name : addPowerShellHost#16)

pastedImage_71.png

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

Windspirit
Hot Shot
Hot Shot
Jump to solution

Thanks

....cant test ATM directly...will do tonight. But question....Im using http....could that also be an issue?

Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

HI,

nope. HTTP works also.Just make sure to add the user in question to the BUILDIN\Administrators group . This is the only way it will work for this particular vCO scenario. I''ve prepared a blog post on this and will describe there in more details.

pastedImage_0.png

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

Reply
0 Kudos
Windspirit
Hot Shot
Hot Shot
Jump to solution

So after testing this, it turened out to be related to my domain. As I suspected it was a windows problem, however i was due to my domain setup. Whatever happend with my AD controller, after setting up a new domain and testing it again it worked out of the box and without as much stuff as I put in the first place.

Thanks everyone.

This is the WINRM settup you need:

  • winrm quickconfig
  • winrm set winrm/config/service/auth @{Kerberos=”true”}
  • winrm set winrm/config/service @{AllowUnencrypted=”true”}
  • winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”2048?}

And the User as described in the SpasKaloferov setup.

SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

HI,

That's great. Here the detailed post on the topic:

Adding vCO Powershell Host with account other than the default domain administrator account

http://kaloferov.com/blog/adding-vco-powershell-host-with-account-other-than-the-default-domain-admi...

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect