I added a krb5.conf file to my vCo server for use by my newly installed PowerShell 1.0.4 Plugins, but I was wondering if I can put multiple domains in there? We have about 5 domains that we provision servers across.
Any thoughts?
What about dom2,dom3,dom4???
[libdefaults]
default_realm = corp.dom1.com
udp_preference_limit = 1
[realms]
corp.dom1.com = {
kdc = kdc.corp.dom1.com
Admin_server = corp.dom1.com
default_domain = corp.dom1.com
}
[domain_realms]
.domain.com=corp.dom1.com
domain.com=corp.dom1.com
Does anyone use PowerShell and vCO?
HI,
currently vCO authentication mechanics supports only one authentication domain. You do not the vCO auth with powershell anyway. You do not need to configure the krb5.conf at all in this case. What you need is CredSSP/Winrm with the vCO Powershell plugin.
http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/
WinRM supports cross domain authentication.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
Hi ,
Yes a lot of people.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
Thanks so much for your responce and for your article.
I had to modify the commands, adding the single quotes:
winrm set winrm/config/client/auth '@{Basic="true"}'
But, I am not sure that I can make this work because or our group policies.
winrm : WSManFault
At line:2 char:1
+ winrm set winrm/config/client/auth '@{Basic="true"}'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (WSManFault:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Message
ProviderFault
WSManFault
Message = The config setting Basic cannot be changed because is controlled by policies. The policy would need to be
set to "Not Configured" in order to change the config setting.
Error number: -2144108406 0x8033808A
Cannot change GPO controlled setting.
I would really like to get these PowerShell Plugins working.
Maybe if we can get it working on one domain first.
It should be possible to configure multiple domains in same krb5.conf file
You should be able to use them as long as the user and PowerShell host are in the same domain.
On theory it should be possible even if they are in different domains bu t I have not tested it.
Allowed syntax of krb5.conf file can be found here:
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.4/doc/krb5-admin/krb5.conf.html
krb5.conf file is not specific for vCO. vCO powerShell plugin uses standard Java GSS-API for doing kerberos authentication
Introduction to JAAS and Java GSS-API Tutorials
Configuring Kerberos authentication has some caveats and as already mentioned I will suggest to get it running with single domain before trying with multiple
HI,
Yes you seem to have the WinRM config enforced via Domain Level GPO so you should do the change from the Domain GPO's. Keep in mind that the WINRM config i've given in the article has loosen security and allows all auth methods , ect.. I've done this for the sole purpose of showing the config work. Once you get it to work you might want to secure WinRM as much as you can.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
Hi,
i think i might have misunderstood what you are trying to accomplish . I thought you are trying to :
- use the Powershell plugin and start an command which than needs to authenticate in another domain. If this is the case than CredSSP is you tool.
, but if you are trying to :
- Add multiple PS Hosts in vCO and each host is from different domain.
than this is another story. Although this should theoretically work i haven't tested it. I can try it though in the next days and will give you feedback.
Best Regards / Поздрави
Spas Kaloferov | Technical Solutions Architect
Yes, a teammate of mine has successfully made this work. Just make sure you have entries for each domain as realms and domain_realm like this in the kbr5 file:
[libdefaults]
default_realm = CORP.DOM1.COM
udp_preference_limit = 1
[realms]
CORP.DOM1.COM = {
kdc = kdc.corp.dom1.com
kdc = kdc2.corp.dom1.com
default_domain = corp.dom1.com
}
CORP.DOM2.COM = {
kdc = kdc.corp.dom2.com
kdc = kdc2.corp.dom2.com
default_domain = corp.dom2.com
}
CORP.DOM3.COM = {
kdc = kdc.corp.dom3.com
kdc = kdc2.corp.dom3.com
default_domain = corp.dom3.com
}
[domain_realms]
.corp.dom1.com=corp.dom1.com
corp.dom1.com=corp.dom1.com
.corp.dom2.com=corp.dom2.com
corp.dom2.com=corp.dom2.com
.corp.dom3.com=corp.dom3.com
corp.dom3.com=corp.dom3.com
---------------------------------------------
Other tips: try it with one domain at a time. Also check the CASE. It may matter.
HI,
her you will find more info . Special thanks to Ivo Gaydajiev.
BR,
Spas Kaloferov
Dan ,
you have an error in your file. It should be [domain_realm] not [domain_realms]
BR,
Spas Kaloferov
and you will also need 1.0.6 version of the plugin that is about to be released