You can use Kerberos authentication when you add and manage a PowerShell host.

About this task

With Kerberos authentication, domain users can run commands on remote PowerShell-enabled machines over WinRM.

Procedure

  1. Enable Kerberos authentication on the WinRM service.
    1. Run the following command to check whether Kerberos authentication is allowed.

      c:\> winrm get winrm/config/service

    2. Run the following command to enable Kerberos authentication.

      c:\> winrm set winrm/config/service/auth @{Kerberos="true"}

  2. Enable Kerberos authentication on the WinRM client.
    1. Run the following command to check whether Kerberos authentication is allowed.

      c:\> winrm get winrm/config/client

    2. Run the following command to enable Kerberos authentication.

      c:\> winrm set winrm/config/client/auth @{Kerberos="true"}

  3. Run the following command to test the connection to the WinRM service.

    c:\> winrm identify -r:http://winrm_server:5985 -auth:Kerberos -u:user_name -p:password -encoding:utf-8

  4. Create a krb5.conf file and save it to the following location.

    Operating System

    Path

    Windows

    C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\lib\security\

    Linux

    /usr/java/jre-vmware/lib/security/ for external vRealize Orchestrator.

    /etc/krb5.conf for vRealize Orchestrator that is built into vRealize Automation.

    A krb5.conf file has the following structure:

    [libdefaults] 
    default_realm = YOURDOMAIN.COM 
    udp_preference_limit = 1
    [realms] 
    YOURDOMAIN.COM = { 
    kdc = kdc.yourdomain.com 
    default_domain = yourdomain.com 
    } 
    [domain_realm] 
    .yourdomain.com=YOURDOMAIN.COM
    yourdomain.com=YOURDOMAIN.COM
    

    The krb5.conf must contain specific configuration parameters with their values.

    Kerberos configuration tags

    Details

    default_realm

    The default Kerberos realm that a client uses to authenticate against an Active Directory server.

    Note:

    Must be in uppercase letters.

    kdc

    The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.

    default_domain

    The default domain that is used to produce a fully qualified domain name.

    Note:

    This tag is used for Kerberos 4 compatibility.

    Note:

    By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.

    Note:

    The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.

    Important:

    When you add or modify the krb5.conf file, you must restart the Orchestrator server service.