You can use Kerberos authentication when you add and manage a PowerShell host.

With Kerberos authentication, domain users can run commands on remote PowerShell-enabled machines over WinRM.

Procedure

  1. Enable Kerberos authentication on the WinRM service.
    1. To verify if Kerberos authentication is allowed, run the following command:
      c:\> winrm get winrm/config/service
    2. To enable Kerberos authentication, run the following command:
      c:\> winrm set winrm/config/service/auth @{Kerberos="true"}
  2. Enable Kerberos authentication on the WinRM client.
    1. To verify if Kerberos authentication is allowed, run the following command:
      c:\> winrm get winrm/config/client
    2. To enable Kerberos authentication, run the following command:
      c:\> winrm set winrm/config/client/auth @{Kerberos="true"}
  3. To test the connection to the WinRM service, run the following command:
    c:\> winrm identify -r:http://winrm_server:5985 -auth:Kerberos -u:user_name -p:password -encoding:utf-8
  4. Create a krb5.conf file and save it to the following location:
    Orchestrator type Description
    External /usr/java/jre-vmware/lib/security/
    Embedded /etc/krb5.conf
    A krb5.conf file has the following structure:
    [libdefaults] 
    default_realm = YOURDOMAIN.COM 
    udp_preference_limit = 1
    [realms] 
    YOURDOMAIN.COM = { 
    kdc = kdc.yourdomain.com 
    default_domain = yourdomain.com 
    } 
    [domain_realm] 
    .yourdomain.com=YOURDOMAIN.COM
    yourdomain.com=YOURDOMAIN.COM
    

    The krb5.conf must contain specific configuration parameters with their values.

    Kerberos configuration tags Details
    default_realm The default Kerberos realm that a client uses to authenticate against an Active Directory server.
    Note: Must be in uppercase letters.
    kdc The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.
    default_domain The default domain that is used to produce a fully qualified domain name.
    Note: This tag is used for Kerberos 4 compatibility.
    Note: By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.
    Note: The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.
    Important: When you add or modify the krb5.conf file, you must restart the Orchestrator server service.