2 Replies Latest reply on May 15, 2019 5:30 AM by orian

    Remote powershell timeout

    orian Enthusiast

      Hi,

       

      I have an old environment with Orchestrator version 7.3.

      This environment is connected to domain named: main.contoso.co.il.

      I connected to this environment 3 remote powershell sessions (Add a Powershell host).

      I can run Powershell script on these hosts without errors.

       

      I have 3 different domains: main.contoso.co.il, mngt.contoso.co.il, dev.contoso - there is no trust between them.

      Each host I connect to the old environment are in different domains.

       

      I created a new environment with Orchestrator version 7.5.

      This environment is connected to domain named: contoso.co.il.

      I try to run "Add a Powershell host" workflow on same hosts like the old environment but receive timeout error:

      [2019-05-02 20:20:31.387] [E] Workflow execution stack:

      ***

      item: 'Add a PowerShell host/item8', state: 'failed', business state: 'null', exception: 'Receive timed out (Dynamic Script Module name : addPowerShellHost#19)'

      workflow: 'Add a PowerShell host' (EF8180808080808080808080808080803D80808001270557368849c62c352aa82)

      |  'attribute': name=errorCode type=string value=Receive timed out (Dynamic Script Module name : addPowerShellHost#19)

      |  'attribute': name=sslUrl type=string value=

      |  'input': name=name type=string value=Ex3

      |  'input': name=type type=string value=WinRM

      |  'input': name=transportProtocol type=string value=HTTP

      |  'input': name=port type=string value=5985

      |  'input': name=hostName type=string value=Ex3.dev.contoso

      |  'input': name=username type=string value=admin@dev.contoso

      |  'input': name=password type=SecureString value=__NULL__

      |  'input': name=sessionMode type=string value=Shared Session

      |  'input': name=authentication type=string value=Kerberos

      |  'input': name=acceptAllCertificates type=boolean value=false

      |  'input': name=shellCodePage type=string value=UTF8

      |  'output': name=host type=PowerShell:PowerShellHost value=null

      *** End of execution stack.

      I also updated /etc/krb5.conf file with other domains (and restart the appliance):

      [libdefaults]

        default_keytab_name = /etc/krb5.keytab

        default_realm = CONTOSO.CO.IL

        default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC

        default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC

        preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC

        dns_lookup_kdc = true

        pkinit_kdc_hostname = <DNS>

        pkinit_anchors = DIR:/var/trusted_certs

        pkinit_cert_match = <EKU>msScLogin

        pkinit_eku_checking = kpServerAuth

        pkinit_win2k_require_binding = false

        pkinit_identities = PKCS11:/opt/likewise/lib64/libpkcs11wrapper.so

      #       default_realm = EXAMPLE.COM

       

       

      [realms]

        CONTOSO.CO.IL = {

         auth_to_local = RULE:[1:$0\$1](^CONTOSO\.CO\.IL\\.*)s/^CONTOSO\.CO\.IL/CONTOSO/

         auth_to_local = RULE:[1:$0\$1](^CONTOSO\.CO\.IL\\.*)s/^CONTOSO\.CO\.IL/CONTOSO/

         auth_to_local = DEFAULT

        }

        MNGT.CONTOSO.CO.IL = {

            kdc = ad2.mngt.contoso.co.il

            admin_server = ad2.mngt.contoso.co.il

        }

        MAIN.CONTOSO.CO.IL = {

            kdc = ad1.main.contoso.co.il

            admin_server = ad1.main.contoso.co.il

        }

        DEV.CONTOSO = {

            kdc = ad4.dev.contoso

            admin_server = ad4.dev.contoso

        }

      #       EXAMPLE.COM = {

      #                kdc = kerberos.example.com

      #               admin_server = kerberos.example.com

      #       }

       

       

      [logging]

          kdc = FILE:/var/log/krb5/krb5kdc.log

          admin_server = FILE:/var/log/krb5/kadmind.log

          default = SYSLOG:NOTICE:DAEMON

      [domain_realm]

        .contoso.co.il = CONTOSO.CO.IL

        .mngt.contoso.co.il = MNGT.CONTOSO.CO.IL

        .main.contoso.co.il = MAIN.CONTOSO.CO.IL

        .dev.contoso = DEV.CONTOSO

      [appdefaults]

        pam = {

         mappings = CONTOSO\\(.*) $1@CONTOSO.CO.IL

         forwardable = true

         validate = true

        }

        httpd = {

         mappings = CONTOSO\\(.*) $1@CONTOSO.CO.IL

         reverse_mappings = (.*)@CONTOSO\.CO\.IL CONTOSO\$1

        }

      From the appliance of the Orchestrator there are good results for ping commands to other domains and kdc servers.

      The strange thing is that I can see any activities in the firewall between the old Orchestrator appliance to the hosts I try to connect in port 5985.

      I see only the icmp (ping command) activity in the firewall.

       

      What am I missing?

      In the hosts everything are configured correctly (WinRM configurations) because the old Orchestrator is connected to same hosts I try to connect to the new one.