VMware Cloud Community
syedaf
Contributor
Contributor
‎03-14-2014 10:48 AM

VCO 5.5 Kerberos Authentication not working for PowerShell Plugin


Hi

I am trying to setup VCO PS plugin and can only make it work if my host is in the same realm as the one defined in"default_realm" in the krb5.conf.  See krb5 example below:

[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
udp_preference_limit = 1

[realms]
        CHILD1.EXAMPLE.COM = {
        kdc = ckdc1.child1.example.com
        }
        CHILD2.EXAMPLE.COM = {
        kdc = ckdc2.child2.example.com
        }

With the above krb5.conf ,  I am only able to authenticate if my Powershell host has a name such as "PSHOST.EXAMPLE.COM".  If  I try to connect to another host such as PSHOST.CHILD1.EXAMPLE.COM it fails.  The network capture for failed authentication indicates that I am able to get a valid TGT for the user from correct domain but than the VCOstart to search for SPN in the domain/realm given in default_realm.  So if my userid is user@CHILD1.EXAMPLE.COM, the kerberos TGT is correctly given by "ckdc1.child1.example.com" but for TGS (which is HTTP/PSHOST.CHILD1.EXAMPLE.COM) the client searches in the kdc for EXAMPLE.COM which doesn't have it and this fails the authentication.  If I change my default_realm to "CHILD1.EXAMPLE.COM" everything works as expected.

All domains are part of the same AD forest with two way transitive trusts.

Any help is resolving this issue is appreciated.

0 Kudos
6 Replies
igaydajiev
VMware Employee
VMware Employee
‎03-17-2014 07:23 AM

I see that [domain_realm] section is missing in your  krb5.conf file ( krb5.conf — MIT Kerberos Documentation)

[domain_realms]

.child1.example.com=CHILD1.EXAMPLE.COM

child1.example.com=CHILD1.EXAMPLE.COM

.child2.example.com=CHILD2.EXAMPLE.COM

child2.example.com=CHILD2.EXAMPLE.COM

0 Kudos
syedaf
Contributor
Contributor
‎03-17-2014 07:58 AM

Hi

Same result, the TGT is granted correctly for the user but TGS request is sent to the domain which is defined as the default_realm.  If I set the default_realm to be the realm/domain of the PowerShell host , than it works.


0 Kudos
igaydajiev
VMware Employee
VMware Employee
‎03-17-2014 11:56 AM

I just spotted a typo in my previous example

[domain_realms] should be [domain_realm]


And also note that when you make chanegs to krb5.conf file you need to restart vCO server.


To be sure that your change has been taken in account you can delete the default domain.

0 Kudos
syedaf
Contributor
Contributor
‎03-17-2014 12:27 PM

Hi

I already had a blank  [domain-realm] section in krb5 so this can be ruled out.  I do restart vCO server after a change is made to krb5.  I have been working on this for the past serveral days and have tried prettry much every possible krb5 configuration.  I have also confirmed that if I connect to WinRM from a standard linux host, everything works as expected.  To me it seems that the vCO implementation only uses the value in default_realm and ignores rest of the krb5.  I did add many incorrect values in krb5 and it continued to work as long as I have default_realm set to the same value as my PS host.

Thanks for your help

0 Kudos
igaydajiev
VMware Employee
VMware Employee
‎03-19-2014 12:52 AM

I will try to find some time to test it in my environment..

0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
‎10-10-2014 12:48 AM

HI All,

for a complete setup of vCO Powershell Kerberos authenticaiton check this article: .

Using CredSSP with the vCO PowerShell Plugin

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

0 Kudos