R_Noble
Contributor
Contributor

VRO v8.4: Add a PowerShell host:" Connection with PowerShell server can not be validate"

Hello everyone.

I am reaching out to see if i could please get some assistance with this issue.

I am trying to follow the workflow to add a Powershell host to my VRO appliance (vRealize Orchestrator 8.3.0 (17522798))

I am attempting to authenticate over HTTP with either Basic or Kerberos authentication methods and I am getting nowhere.

Here is my WinRM configuration on my Powershell host

Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647

I believe I have verified that WinRM is configured correctly as per the below:

PS C:\temp\etl2pcapng\x64> winrm identify -r:http://XXXXX:5985 -auth:Kerberos -u:XXX@XXX -encoding:utf-8
Enter the password for 'XXX@XXX' to connect to 'http://XXXXX:5985':
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.17763 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos

 

This is the entire error from the Workflow:

item: 'Add a PowerShell host/item8', state: 'failed', business state: 'null', exception: 'Connection with PowerShell server can not be validate. Check server log for more details. (Dynamic Script Module name : addPowerShellHost#25)'
workflow: 'Add a PowerShell host' (EF8180808080808080808080808080803D80808001270557368849c62c352aa82)
| 'attribute': name=errorCode type=string value=Connection with PowerShell server can not be validate. Check server log for more details. (Dynamic Script Module name : addPowerShellHost#25)
| 'attribute': name=sslUrl type=string value=
| 'input': name=name type=string value=XXXX (Hostname)
| 'input': name=type type=string value=WinRM
| 'input': name=transportProtocol type=string value=HTTP
| 'input': name=port type=string value=5985
| 'input': name=hostName type=string value=XXXXX (Hostname)
| 'input': name=username type=string value=XXX@XXX (Username)
| 'input': name=password type=SecureString value=__NULL__
| 'input': name=sessionMode type=string value=Shared Session
| 'input': name=authentication type=string value=Kerberos
| 'input': name=acceptAllCertificates type=boolean value=true
| 'input': name=shellCodePage type=string value=UTF8
| 'input': name=idleTimeout type=number value=
| 'output': name=host type=PowerShell:PowerShellHost value=null
*** End of execution stack.

 

I can curl from the VRO Appliance to the Powershell host without any issues too

root@vro-1 [ /data/vco/usr/lib/vco/app-server/conf ]# curl -v telnet://XXXXX:5985
* Rebuilt URL to: telnet://XXXXX:5985/
* Trying 10.161.224.231...
* TCP_NODELAY set
* Connected to XXXXXX (10.161.224.231) port 5985 (#0)
^C

 

I am seeing some Kerberos errors in the logs 

>>> KdcAccessibility: remove KDC >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Thu May 13 07:34:12 GMT 2021 1620891252000 suSec is 657854 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/DOMAIN@REALM eData provided. msgType is 30

So I created a local user on my powershell host and gave it local administrator access.

I also changed the authentication method to basic when attempting this connection but nothing I do makes any difference. 

Could someone please assist me?

Kind regards

 

0 Kudos
0 Replies