This recipe shows how to configure the Kerberos authentication with Orchestrator. The Kerberos configuration is only needed for special plugins, such as PowerShell.
We just need administrative access to the Orchestrator operating system. You need to make sure that the clocks are in sync between Orchestrator and the KDC. See the Tuning the appliance recipe in this chapter. The domain in this example is called mylab.local
and the AD server (KDC) is called central.mylab.local
.
/usr/java/jre-vmware/lib/security/krb5.conf
file. You might have to create this file.mylab.local
with your domain settings. Make sure that you use the same case as in the example:[libdefaults] default_realm = MYLAB.LOCAL udp_preference_limit = 1 [realms] MYLAB.LOCAL = { kdc = central.mylab.local default_domain = mylab.local } [domain_realm] .mylab.local= LAB.LOCAL mylab.local= MYLAB.LOCAL
644
. Execute the chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf
command.service vco-server restart
command.Kerberos is an authentication protocol that uses tickets that allow systems to securely talk to each other.
Let's see how Kerberos works with a simple example. A client (Orchestrator) wants to communicate with a server (Windows host) securely. The client will communicate with a Key Distribution Center (KDC) to acquire a ticket. In Windows, the KDC is your AD controller, who then authenticates the login as a valid user and grants access. The KDC will then issue a ticket. This ticket is then used to login to the Windows server.
Configuration of the krb5.conf
file is needed for Orchestrator in any version, as the connecting service is really the Java process and not the operating system underneath.
Since Windows 2000, Microsoft uses Kerberos as its main method for authentication. It is a secure method that uses encrypted communication and therefore the best choice for any production environment.
This recipe is especially important for the Working with PowerShell recipe in Chapter 10, Built in Plugins. The example workflow 02.03 Configure Kerberos
.