If you use VMware orchestrator to run powershell scripts, you may already faced the kerberos double hop issue, here is a brief description from microsoft: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=pow....

In a nutshell, if you execute scripts that needs to access another server or network resource that requires authentication, it will fail with a permission denied error.

To solve this issue a powershell module was created, you can get it here:

https://drive.google.com/file/d/1rYVhTbv9ygazfWxna1SnBi0K0h3XbwEy/view?usp=sharing

This module requires that a local file with the encrypted password of the remote user to exist on the server executing the powershell script.

For example:

Imaging you have the following scenario:

A vCO server --> (Windows Powershell host) --> calling another server or share (requires authentication)

Running the workflows that require access to resources outside the Windows RM server will fail.

To avoid the permission denied error, you can use the above powershell module. What is does is to enable the current powershell session to run over the credentials of the user calling the workflow.

Because the vCO does not sends the credentials to the windows server, any attempt to reach other servers or share will fail.

To have security at its highest, the powershell module requires each powershell host to have a local encripted password file, with the password of the user running the workflows.

If you run the workflow using a specific user like vCOUser then you need to have the password for the vCOUser encripted somewhere in the windows powerhell host server.

Because the module implements extra cmdlets, there is the option to encrypt the password using an entropy string, in that case, its only possible to decrypt the password, on that server and using the entropy key. To keep security at its highest, the entropy key should be passed by the workflow as a powershell argument.

To create the password and start using the moudule open a powershell session and run the following commands to check the available cmdlets:

#import the module

import-module vCOEnableRemoteAuthentication.dll

#check the available commands

get-command -module vCOEnableRemoteAuthentication.dll

The module has 4 cmdlets, the cmdlets ConvertFrom-SecureString and ConvertTo-SecureString are implementations of the module SecureStringFunctions found in https://gallery.technet.microsoft.com/scriptcenter/Add-optional-entropy-to-2519d9fd

The cmdlet convertFrom-PlainTextString is a new cmdlet to help automating the password file generation.

To create the password encripted file on the remote windows powershell host:

#import the module

import-module vCOEnableRemoteAuthentication.dll

#create an encrypted password file, specify the entropy to increase security

ConvertFrom-PlainTextString -plainTextstring ThepasswordOfTheUserExecutingScripts  -Entropy MySecret | Out-File pathToFileWithEncriptedPassword.txt

To create the powershell script that will be executed by the Orchestrator with the remote authentication enabled to reach remote servers or network resources :

#import the dependent module first

Import-Module Microsoft.PowerShell.Security -Global

#import the vCO module import-module vCOEnableRemoteAuthentication.dll

#get the password file into a SecureString object

$securestring = Get-Content pathToFileWithEncriptedPassword.txt |ConvertTo-SecureString -Entropy MySecret

#enable the remote authentication using the secure string created above.

enable-vCORemoteAuthentication -SecureStringPassword $securestring

#You can also get the plain text password from the secure string

$UnsecurePassword = $securestring | ConvertFrom-SecureString -AsPlainText -Force

#thats it, now you can use the current session to access the resouces that the current credentials have access.

$filecontents = get-content '\\windowsshare\path\tofile.txt'

Attention: The cmdlet will only enable the remote authentication if it detects that is being executed remotely, otherwise you will receive a message like this:

Current session is not being executed remotely. vCO remote authentication not enabled.