VMware Cloud Community
manfriday
Enthusiast
Enthusiast
‎10-20-2017 09:08 AM

Powershell plugin, Kerbros Authentication and a "Server not found in Kerberos database" error

Hi,

I have set up VCO to use kerberos for adding a powershell host before.

It works great.

I had to set up a second VCO instance to be able to talk to some clients behind a firewall via SSH and powershell. The "regular" VCO instance can't talk to these clients becuase opening ports for the working VCO is not an option.

SO, the workaround was, I set up another vco instance, got it added via the multi-node plugin, etc..

The issue came when I tried to add a server as a powershell host. I copied and pasted the krb5.conf file from the working VCO.

Everything is in the same domain as the "working" VCO/powershell host.

When I try to add the troublesome host I get the following error:

Workflow execution stack:

***

item: 'Add a PowerShell host/item8', state: 'failed', business state: 'null', exception: 'No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))) (Dynamic Script Module name : addPowerShellHost#19)'

workflow: 'Add a PowerShell host' (EF8180808080808080808080808080803D80808001270557368849c62c352aa82)

|  'attribute': name=errorCode type=string value=No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))) (Dynamic Script Module name : addPowerShellHost#19)

|  'attribute': name=sslUrl type=string value=https://powershellhost.fnal.gov:5986/wsman/

|  'input': name=name type=string value=powershellhost

|  'input': name=type type=string value=WinRM

|  'input': name=transportProtocol type=string value=HTTPS

|  'input': name=port type=string value=5986

|  'input': name=hostName type=string value=powershellhost.domain.com

|  'input': name=username type=string value=username@subdomain.domain.com

|  'input': name=password type=SecureString value=__NULL__

|  'input': name=sessionMode type=string value=Shared Session

|  'input': name=authentication type=string value=Kerberos

|  'input': name=acceptAllCertificates type=boolean value=true

|  'input': name=shellCodePage type=string value=IBM437

|  'output': name=host type=PowerShell:PowerShellHost value=null

*** End of execution stack.

I have consulted The Great Oracle (google), and what it told me was that this is usually a DNS issue, but I have checked my DNS, and I can resolve the hostname, as well as all the KDCs.

I have looked at the firewall activity, and can see the VCO server talking to the KDC on port 88, the DNS servers on 53, the Powershell Host on 5986. I dont think it's a Firewall issue.

If anyone has any ideas, I'd appreciate it.

Jason

0 Kudos
2 Replies
mhampto
VMware Employee
VMware Employee
‎10-24-2017 09:31 AM

If you have not been through the troubleshooting in [vCO PowerShell plugin] How to set up and use Kerberos authentication - VMware vCenter Orchestrator ... this may help.

0 Kudos
manfriday
Enthusiast
Enthusiast
‎10-25-2017 07:43 AM

Thanks for your reply.

I actually just figured out what I was doing wrong.

Someone moved the powershell host from its original domain, to one that had a one-way trust with that domain.

Im not sure who, when, or why.

People were still logging in with the account from the old domain, as though nothing had changed.

But kerberos didnt like it being in a different domain.

I can't decide if I am a genius for solving this problem or a moron for not finding it sooner.

Im going with genius. It has a better ring to it.

Anyway, for anyone having similar issues, make sure your powershell host is actually in the domain you think it is in...

0 Kudos