Configuring vRealize Orchestrator and WinRM Host for Kerberos Authentication

In order to leverage the vRealize Orchestrator PowerShell plug-in to enable interaction between the vRealize Orchestrator appliance and Windows Powershell there is a requirement to add a PowerShell Host to your vRealize Orchestrator configuration, this will only for workflows to interact with Windows Powershell and optionally PowerCLI and the vCenter Server system.




The Poweshell plug-in supports communication using the WinRM and SSH protocols, in this article we will concentrate on WinRM as the communication protocol over HTTPS using Kerberos authentication. We can enable the WinRM host to support Kerberos authentication, by invoking the following from a command prompt with elevated privileges:

winrm s winrm/config/service/auth @{Kerberos="true"}

In order to communicate with WinRM over HTTPS there is a requirement to create a server authentication certificate, in this example we will create a self signed certificate using the New-SelfSignedCertificate cmdlet and store the newly created certificate in the My certificate store for the local machine.

New-SelfSignedCertificate -DnsName dean1.dean.local -CertStoreLocation Cert:\LocalMachine\My

On generation of the certificate information, the thumbprint and the subject will be streamed to the console session to which we will make a note of the certificate thumbprint for when we create the HTTPS listener configuration.

Thumbprint                                 Subject
----------                                 -------
C9C982AF1CFDC65CCDD7A30AC661F2D9CDC3F127   CN=dean1.dean.local

From the command prompt with elevated privileges, we will create an HTTPS listener for the WinRM service, to which we will specify the FDQN of the WinRM host, the certificate thumbprint for the generated self signed certificate and specify the TCP service port as ‘5986’.

winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Hostname="dean1.dean.local";CertificateThumbprint="C9C982AF1CFDC65CCDD7A30AC661F2D9CDC3F127";port="5986"}'

Following successful creation of the HTTPS listener, you should receive output similar to the below:

 Address =
 ResourceURI =
 Selector: Address = *, Transport = HTTPS

In order to allow for inbound connectivity to the remote WinRM host, where applicable we will be required to enable the Windows Remote Management (HTTP-In) rule for communications on TCP service port 5986, we can achieve this by invoking the ‘New-NetFirewallRule’ cmdlet.

New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP

Once we have configured the WinRM Host to use Kerberos, there is a final requirement to configure the vRealize Orchestrator appliance for Kerberos authentication. In order to do so, you will be required to connect using an SSH client such as PuTTY and edit/create the file ‘/usr/java/jre-vmware/lib/security/krb5.conf‘. In the below example replace the domain name DEAN.LOCAL with your domain and adhere to the case sensitivity and replace ‘dc1.dean.local’ with the FQDN of your key distribution center for the provided Kerberos realm.

 default_realm = DEAN.LOCAL
 udp_preference_limit = 1
 kdc = dc1.dean.local
 default_domain = dean.local

Once the above file has been written, as we are using the virtual appliance for vRealize Orchestrator we will need to modify the permissions to the file so that it may be read and then restart the vRealize Orchestrator Server service to apply the configuration change.

chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

Once we have configured the WinRM host and vRealize Orchestrator applicance we now should be able to invoke the ‘Add PowerShell Host’ workflow succesfully (Library > PowerShell > Configuration > Add PowerShell Host).






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s