WinRM, https, Kerberos, and vCO Powershell Plugin 1.0.1

Summary:
Pain in my arse.  I was able to make it work this way, whether this is the correct way to do it is most definitely up for debate.  I started writing this on w/ vCO PS Plugin 1.0, so some things might need work.  I welcome corrections.

Details:
  1. WinRM by default only allows users that are members of the administrators.
    • See here how to add additional users
    • The only way I’ve been able to make this work in Orchestrator is if the service account I’m using is a member of the administrators group on the powershell remote host.
    • It works via standard WinRM or Powershell so a bit puzzled as to why I get access denied errors from vCO.  Still researching...  :-/
  2. Setup IIS
  3. Generate CSR from IIS
  4. Import CA generated CSR
  5. IIS Website -> SSL Settings -> Edit Bindings -> https://  -> Select imported SSL cert.
  6. Command Prompt (not powershell):
    • winrm quickconfig -transport:https
    • winrm set winrm/config/client @{TrustedHosts=”NameorIP of VCO host”}
    • winrm set winrm/config/service/auth @{Kerberos=”True”}
  7. Assuming you are using the vCenter Orchestrator virtual appliance:
    1. Log into vCenter Orchestrator local console as root
      • Default password for root is “vmware”
      • SSH is disabled by default, so it you must login via local console.
    2. You need to create a krb5.conf file in the following directory:
      • /opt/vmo/jre/lib/security
      • vi krb5.conf
      • Sample krb5.conf:
          • [libdefaults]    
            default_realm = SOMEDOMAIN.COM    
            udp_preference_limit = 1
[realms]    
            SOMEDOMAIN.COM = {       
            kdc = kdc1.somedomain.com       
            default_domain = somedomain.com    
          }
[domain_realms]
  .somedomain.com=SOMEDOMAIN.COM
  somedomain.com=SOMEDOMAIN.COM
        • You can enter multiple kdc servers (in Active Directory, usually the same as a domain controller)
          • kdc = kdc1.somedomain.com
          • kdc = kdc2.somedomain.com
        • krb5.conf is CASE SeNSITIVE!
        • If you use the [domain_realms] section, your domain names will translate into UPPERCASE if using the format above.
      • Once you’re done editing, hit “ESC”, “:”, “wq”, Enter
      • Change ownership/perms on krb5.conf file:
        • chown vco:vco krb5.conf
        • chmod 640 krb5.conf
    3. Restart vCenter Orchestrator Appliance.
      • You can probably restart a specific service, but I’m unsure as to which one.
Other helpful links:

Comments

vpo said…
Did You finally found why it dis not work if the user Is not part of the admin group ? Got same issue
June 12, 2013 at 9:59 AM
Zsoldier said…
I haven't had a chance to revisit. I'll probably be looking @ it deeper after I attend vCO training next week.
June 12, 2013 at 11:00 AM
vpo said…
If You can, That would be Great.
June 13, 2013 at 6:56 AM
Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face ...
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnec...
Read more