You can use Kerberos authentication when you add and manage a PowerShell host.

1. Configure WinRM on the PowerShell host.

   winrm quickconfig
   winrm set winrm/config/service/auth @{Kerberos="true"}
   winrm set winrm/config/service @{AllowUnencrypted="true"}
   winrm set winrm/config/winrs @{MaxMemoryPerShellMB="2048"}

2. Create or edit the krb5.conf file at /data/vco/usr/lib/vco/app-server/conf/.
   A krb5.conf file has the following structure:

   [libdefaults] 
   default_realm = YOURDOMAIN.COM
   [realms] 
   YOURDOMAIN.COM = { 
   kdc = dc.yourdomain.com 
   default_domain = yourdomain.com 
   } 
   [domain_realm] 
   .yourdomain.com=YOURDOMAIN.COM
   yourdomain.com=YOURDOMAIN.COM
   

   The krb5.conf must contain specific configuration parameters with their values.

   Kerberos configuration tags	Details
   default_realm	The default Kerberos realm that a client uses to authenticate against an Active Directory server. Note: Must be in uppercase letters.
   kdc	The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.
   default_domain	The default domain that is used to produce a fully qualified domain name. Note: This tag is used for Kerberos 4 compatibility.

   Note: By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.
   Note: The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.
   Important: When you add or modify the krb5.conf file, you must restart the vRealize Orchestrator server service.
3. Change permissions by running the following command.

   chmod 644 krb5.conf

4. Redeploy the vRealize Orchestrator pod.

   kubectl -n prelude get pods

   Look for an entry similar to the following.

   vco-app-<ID>

5. Destroy the pod.

   kubectl -n prelude delete pod vco-app-<ID>

   A new pod is automatically deployed to replace the pod you destroyed.