WinRM, https, Kerberos, and vCO Powershell Plugin 1.0.1

Pain in my arse.  I was able to make it work this way, whether this is the correct way to do it is most definitely up for debate.  I started writing this on w/ vCO PS Plugin 1.0, so some things might need work.  I welcome corrections.

  1. WinRM by default only allows users that are members of the administrators.
    • See here how to add additional users
    • The only way I’ve been able to make this work in Orchestrator is if the service account I’m using is a member of the administrators group on the powershell remote host.
    • It works via standard WinRM or Powershell so a bit puzzled as to why I get access denied errors from vCO.  Still researching...  :-/
  2. Setup IIS
  3. Generate CSR from IIS
  4. Import CA generated CSR
  5. IIS Website -> SSL Settings -> Edit Bindings -> https://  -> Select imported SSL cert.
  6. Command Prompt (not powershell):
    • winrm quickconfig -transport:https
    • winrm set winrm/config/client @{TrustedHosts=”NameorIP of VCO host”}
    • winrm set winrm/config/service/auth @{Kerberos=”True”}
  7. Assuming you are using the vCenter Orchestrator virtual appliance:
    1. Log into vCenter Orchestrator local console as root
      • Default password for root is “vmware”
      • SSH is disabled by default, so it you must login via local console.
    2. You need to create a krb5.conf file in the following directory:
      • /opt/vmo/jre/lib/security
      • vi krb5.conf
      • Sample krb5.conf:
        • [libdefaults]    
            default_realm = SOMEDOMAIN.COM    
            udp_preference_limit = 1
            SOMEDOMAIN.COM = {       
            kdc =       
            default_domain =    
        • You can enter multiple kdc servers (in Active Directory, usually the same as a domain controller)
          • kdc =
          • kdc =
        • krb5.conf is CASE SeNSITIVE!
        • If you use the [domain_realms] section, your domain names will translate into UPPERCASE if using the format above.
      • Once you’re done editing, hit “ESC”, “:”, “wq”, Enter
      • Change ownership/perms on krb5.conf file:
        • chown vco:vco krb5.conf
        • chmod 640 krb5.conf
    3. Restart vCenter Orchestrator Appliance.
      • You can probably restart a specific service, but I’m unsure as to which one.
Other helpful links:


vpo said…
Did You finally found why it dis not work if the user Is not part of the admin group ? Got same issue
Zsoldier said…
I haven't had a chance to revisit. I'll probably be looking @ it deeper after I attend vCO training next week.
vpo said…
If You can, That would be Great.

Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Azure VMware Solution: NSX-T Active/Active T0 Edges...but