Using CredSSP with the vCO PowerShell Plugin

Transplant · ‎10-08-2014

I added a krb5.conf file to my vCo server for use by my newly installed PowerShell 1.0.4 Plugins, but I was wondering if I can put multiple domains in there? We have about 5 domains that we provision servers across.

Any thoughts?

What about dom2,dom3,dom4???

[libdefaults]

default_realm = corp.dom1.com

udp_preference_limit = 1

[realms]

corp.dom1.com = {

kdc = kdc.corp.dom1.com

Admin_server = corp.dom1.com

default_domain = corp.dom1.com

}

[domain_realms]

.domain.com=corp.dom1.com

domain.com=corp.dom1.com

Transplant · ‎10-09-2014

Does anyone use PowerShell and vCO?

SpasKaloferov · ‎10-10-2014

HI,

currently vCO authentication mechanics supports only one authentication domain. You do not the vCO auth with powershell anyway. You do not need to configure the krb5.conf at all in this case. What you need is CredSSP/Winrm with the vCO Powershell plugin.

Using CredSSP with the vCO PowerShell Plugin

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

WinRM supports cross domain authentication.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

SpasKaloferov · ‎10-10-2014

Hi ,

Yes a lot of people.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

Transplant · ‎10-14-2014

Thanks so much for your responce and for your article.

I had to modify the commands, adding the single quotes:

winrm set winrm/config/client/auth '@{Basic="true"}'

But, I am not sure that I can make this work because or our group policies.

winrm : WSManFault

At line:2 char:1

+ winrm set winrm/config/client/auth '@{Basic="true"}'

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (WSManFault:String) [], RemoteException

+ FullyQualifiedErrorId : NativeCommandError

Message

ProviderFault

WSManFault

Message = The config setting Basic cannot be changed because is controlled by policies. The policy would need to be

set to "Not Configured" in order to change the config setting.

Error number: -2144108406 0x8033808A

Cannot change GPO controlled setting.

I would really like to get these PowerShell Plugins working.

Transplant · ‎10-14-2014

Maybe if we can get it working on one domain first.

igaydajiev · ‎10-14-2014

It should be possible to configure multiple domains in same krb5.conf file

You should be able to use them as long as the user and PowerShell host are in the same domain.

On theory it should be possible even if they are in different domains bu t I have not tested it.

Allowed syntax of krb5.conf file can be found here:

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.4/doc/krb5-admin/krb5.conf.html

krb5.conf file is not specific for vCO. vCO powerShell plugin uses standard Java GSS-API for doing kerberos authentication

Introduction to JAAS and Java GSS-API Tutorials

Configuring Kerberos authentication has some caveats and as already mentioned I will suggest to get it running with single domain before trying with multiple

SpasKaloferov · ‎10-14-2014

HI,

Yes you seem to have the WinRM config enforced via Domain Level GPO so you should do the change from the Domain GPO's. Keep in mind that the WINRM config i've given in the article has loosen security and allows all auth methods , ect.. I've done this for the sole purpose of showing the config work. Once you get it to work you might want to secure WinRM as much as you can.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

SpasKaloferov · ‎10-15-2014

Hi,

i think i might have misunderstood what you are trying to accomplish . I thought you are trying to :

- use the Powershell plugin and start an command which than needs to authenticate in another domain. If this is the case than CredSSP is you tool.

, but if you are trying to :

- Add multiple PS Hosts in vCO and each host is from different domain.

than this is another story. Although this should theoretically work i haven't tested it. I can try it though in the next days and will give you feedback.

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

Dan_Linsley · ‎10-17-2014

Yes, a teammate of mine has successfully made this work. Just make sure you have entries for each domain as realms and domain_realm like this in the kbr5 file:

[libdefaults]

default_realm = CORP.DOM1.COM

udp_preference_limit = 1

[realms]

CORP.DOM1.COM = {

kdc = kdc.corp.dom1.com

kdc = kdc2.corp.dom1.com

default_domain = corp.dom1.com

}

CORP.DOM2.COM = {

kdc = kdc.corp.dom2.com

kdc = kdc2.corp.dom2.com

default_domain = corp.dom2.com

}

CORP.DOM3.COM = {

kdc = kdc.corp.dom3.com

kdc = kdc2.corp.dom3.com

default_domain = corp.dom3.com

}

[domain_realms]

.corp.dom1.com=corp.dom1.com

corp.dom1.com=corp.dom1.com

.corp.dom2.com=corp.dom2.com

corp.dom2.com=corp.dom2.com

.corp.dom3.com=corp.dom3.com

corp.dom3.com=corp.dom3.com

---------------------------------------------

Other tips: try it with one domain at a time. Also check the CASE. It may matter.

SpasKaloferov · ‎11-27-2014

HI,

her you will find more info . Special thanks to Ivo Gaydajiev.

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO

http://kaloferov.com/blog/how-to-add-powershell-hosts-from-multiple-domains-with-kerberos-authentica...

BR,

Spas Kaloferov

SpasKaloferov · ‎11-27-2014

Dan ,

you have an error in your file. It should be [domain_realm] not [domain_realms]

BR,

Spas Kaloferov

igaydajiev · ‎11-27-2014

and you will also need 1.0.6 version of the plugin that is about to be released

All

kerberos authentication with PowerShell Plugins

Using CredSSP with the vCO PowerShell Plugin

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO