PowerShell, VMware, vRA, vRO

Adding a PowerShell server to vRealize Orchestrator with SSL for vRealize Automation

September 1, 2018

In order for vRealize Automation to be able to interact with PowerShell you will need to add a PowerShell server to vRealize Orchestrator.

Step 1:  Open a firewall rule to allow port 5986 from vRA/vRO to PowerShell VM used for HTTPS.

Step 2:  Get a valid Server Authentication certificate loaded onto PowerShell VM.

Now we can start to configure the PowerShell host for HTTPS Listener with WinRM.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS

Check for and enable Kerberos Authentication on the WinRM Service

c:\> winrm get winrm/config/service
c:\> winrm set winrm/config/service/auth @{Kerberos="true"}

Check for and enable Kerberos Authentication on the WinRM Client

c:\> winrm get winrm/config/client
c:\> winrm set winrm/config/client/auth @{Kerberos="true"}

Preferably using another machine test the WinRM connection to this scripting box.

c:\> winrm identify -r:https://winrm_server.domain.com:5986 -auth:Kerberos -u:user_name@domain.com -p:password -encoding:utf-8

Create/Edit the krb5.conf file on the vRA/vRO appliance.  If vRO is integrated with vRA this file will exist in /etc/krb5.conf

        default_realm = AD.DOMAIN.LOCAL
        udp_preference_limit = 1
        AD.DOMAIN.LOCAL = {
                kdc = AD01.ad.domain.local
                admin_server = AD01.ad.domain.local
                default_domain = ad.domain.local
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

The udp_preference_limit = 1 is to force Kerberos to use the TCP protocol.

You will now need to restart the Orchestrator server service

service vco-server restart

In Orchestrator launch the Add a PowerShell Host workflow under PowerShell -> Configuration

Any questions feel free to reach out to me on Twitter.

You Might Also Like

No Comments

Leave a Reply