You can use Kerberos authentication when you add and manage a PowerShell host.

With Kerberos authentication, domain users can run commands on remote PowerShell-enabled machines over WinRM.


  1. Configure WinRM on the PowerShell host.
    winrm quickconfig
    winrm set winrm/config/service/auth @{Kerberos="true"}
    winrm set winrm/config/service @{AllowUnencrypted="true"}
    winrm set winrm/config/winrs @{MaxMemoryPerShellMB="2048"}
  2. Create or edit the krb5.conf file at /data/vco/usr/lib/vco/app-server/conf/.
    A krb5.conf file has the following structure:
    default_realm = YOURDOMAIN.COM
    kdc = 
    default_domain = 

    The krb5.conf must contain specific configuration parameters with their values.

    Kerberos configuration tags Details
    default_realm The default Kerberos realm that a client uses to authenticate against an Active Directory server.
    Note: Must be in uppercase letters.
    kdc The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.
    default_domain The default domain that is used to produce a fully qualified domain name.
    Note: This tag is used for Kerberos 4 compatibility.
    Note: By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.
    Note: The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.
    Important: When you add or modify the krb5.conf file, you must restart the vRealize Orchestrator server service.
  3. Change permissions by running the following command.
    chmod 644 krb5.conf
  4. Redeploy the vRealize Orchestrator pod.
    kubectl -n prelude get pods
    Look for an entry similar to the following.
  5. Destroy the pod.
    kubectl -n prelude delete pod vco-app-<ID>
    A new pod is automatically deployed to replace the pod you destroyed.

What to do next

In the vRealize Orchestrator Client, run the Add PowerShell host workflow.