Hi
I am trying to setup VCO PS plugin and can only make it work if my host is in the same realm as the one defined in"default_realm" in the krb5.conf. See krb5 example below:
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
CHILD1.EXAMPLE.COM = {
kdc = ckdc1.child1.example.com
}
CHILD2.EXAMPLE.COM = {
kdc = ckdc2.child2.example.com
}
With the above krb5.conf , I am only able to authenticate if my Powershell host has a name such as "PSHOST.EXAMPLE.COM". If I try to connect to another host such as PSHOST.CHILD1.EXAMPLE.COM it fails. The network capture for failed authentication indicates that I am able to get a valid TGT for the user from correct domain but than the VCOstart to search for SPN in the domain/realm given in default_realm. So if my userid is user@CHILD1.EXAMPLE.COM, the kerberos TGT is correctly given by "ckdc1.child1.example.com" but for TGS (which is HTTP/PSHOST.CHILD1.EXAMPLE.COM) the client searches in the kdc for EXAMPLE.COM which doesn't have it and this fails the authentication. If I change my default_realm to "CHILD1.EXAMPLE.COM" everything works as expected.
All domains are part of the same AD forest with two way transitive trusts.
Any help is resolving this issue is appreciated.
I see that [domain_realm] section is missing in your krb5.conf file ( krb5.conf — MIT Kerberos Documentation)
[domain_realms]
.child1.example.com=CHILD1.EXAMPLE.COM
child1.example.com=CHILD1.EXAMPLE.COM
.child2.example.com=CHILD2.EXAMPLE.COM
child2.example.com=CHILD2.EXAMPLE.COM
Hi
Same result, the TGT is granted correctly for the user but TGS request is sent to the domain which is defined as the default_realm. If I set the default_realm to be the realm/domain of the PowerShell host , than it works.
I just spotted a typo in my previous example
[domain_realms] should be [domain_realm]
And also note that when you make chanegs to krb5.conf file you need to restart vCO server.
To be sure that your change has been taken in account you can delete the default domain.
Hi
I already had a blank [domain-realm] section in krb5 so this can be ruled out. I do restart vCO server after a change is made to krb5. I have been working on this for the past serveral days and have tried prettry much every possible krb5 configuration. I have also confirmed that if I connect to WinRM from a standard linux host, everything works as expected. To me it seems that the vCO implementation only uses the value in default_realm and ignores rest of the krb5. I did add many incorrect values in krb5 and it continued to work as long as I have default_realm set to the same value as my PS host.
Thanks for your help
I will try to find some time to test it in my environment..
HI All,
for a complete setup of vCO Powershell Kerberos authenticaiton check this article: .
http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect