You can use Kerberos authentication when you add and manage a PowerShell host.

With Kerberos authentication, domain users can run commands on remote PowerShell-enabled machines over WinRM.

Procedure

  1. Enable Kerberos authentication on the WinRM service.
    1. To check if Kerberos authentication is allowed, run the following command:

      c:\> winrm get winrm/config/service

    2. To enable Kerberos authentication, run the following command:

      c:\> winrm set winrm/config/service/auth @{Kerberos="true"}

  2. Enable Kerberos authentication on the WinRM client.
    1. To check whether Kerberos authentication is allowed, run the following command:

      c:\> winrm get winrm/config/client

    2. To enable Kerberos authentication, run the following command:

      c:\> winrm set winrm/config/client/auth @{Kerberos="true"}

  3. To test the connection to the WinRM service, run the following command:

    c:\> winrm identify -r:http://winrm_server:5985 -auth:Kerberos -u:user_name -p:password -encoding:utf-8

  4. Create a krb5.conf file and save it to the following location:

    Orchestrator type

    Description

    External

    /usr/java/jre-vmware/lib/security/

    Embedded

    /ect/krb5.conf

    A krb5.conf file has the following structure:

    [libdefaults] 
    default_realm = YOURDOMAIN.COM 
    udp_preference_limit = 1
    [realms] 
    YOURDOMAIN.COM = { 
    kdc = kdc.yourdomain.com 
    default_domain = yourdomain.com 
    } 
    [domain_realm] 
    .yourdomain.com=YOURDOMAIN.COM
    yourdomain.com=YOURDOMAIN.COM
    

    The krb5.conf must contain specific configuration parameters with their values.

    Kerberos configuration tags

    Details

    default_realm

    The default Kerberos realm that a client uses to authenticate against an Active Directory server.

    Note:

    Must be in uppercase letters.

    kdc

    The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.

    default_domain

    The default domain that is used to produce a fully qualified domain name.

    Note:

    This tag is used for Kerberos 4 compatibility.

    Note:

    By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.

    Note:

    The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.

    Important:

    When you add or modify the krb5.conf file, you must restart the Orchestrator server service.