Recommendations for vRealize Orchestrator Kerberos configuration: krb5.conf file configuration templates and VMware Identity Manager Integrations
search cancel

Recommendations for vRealize Orchestrator Kerberos configuration: krb5.conf file configuration templates and VMware Identity Manager Integrations

book

Article ID: 325996

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

When configuring PowerShell hosts through the vRealize Orchestrator plugin, a valid krb5.conf configuration is required.

This article assumes the PowerShell host was configured based upon the requirements detailed within VMware official product documentation:  Configure Kerberos Authentication & Configure WinRM to Use HTTPS

Note:  Other configurations are supported, such as HTTP, but are not recommended due to their insecure state.

vRealize Automation 7.x contains an embedded instance of VMware Identity Manager that contains the capability of automatically generating a valid krb5.conf configuration based upon domain information it scans when configuring an Active Directory over Integrated Windows Authentication type.

Active Directory over LDAP configurations will require manual configuration.  A reference under Solution for this configuration is provided. For vRealize Orchestrator standalone instances, the reference configuration can also be used.

Note:  It is recommended to always configure AD over IWA directory type if the domain in question is in a Forest and multiple domain logins are required from this Forest.

Environment

VMware vRealize Orchestrator 7.x

Resolution

Reference configuration:


[libdefaults]
  default_keytab_name = /etc/krb5.keytab
  default_realm = AUTOLAB.LOCAL
  default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
  default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
  preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
  dns_lookup_kdc = true
  pkinit_kdc_hostname = <DNS>
  pkinit_anchors = DIR:/var/trusted_certs
  pkinit_cert_match = <EKU>msScLogin
  pkinit_eku_checking = kpServerAuth
  pkinit_win2k_require_binding = false
  pkinit_identities = PKCS11:/opt/likewise/lib64/libpkcs11wrapper.so
#       default_realm = EXAMPLE.COM

[realms]
  AUTOLAB.LOCAL = {
   auth_to_local = RULE:[1:$0\$1](^AUTOLAB\.LOCAL\\.*)s/^AUTOLAB\.LOCAL/AUTOLAB/
   auth_to_local = RULE:[1:$0\$1](^AUTOLAB\.LOCAL\\.*)s/^AUTOLAB\.LOCAL/AUTOLAB/
   auth_to_local = DEFAULT
  }
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
[domain_realm]
  .autolab.local = AUTOLAB.LOCAL
[appdefaults]
  pam = {
   mappings = AUTOLAB\\(.*) [email protected]
   forwardable = true
   validate = true
  }
  httpd = {
   mappings = AUTOLAB\\(.*) [email protected]
   reverse_mappings = (.*)@AUTOLAB\.LOCAL AUTOLAB\$1
  }

Powered by Wolken Software