Orchestrator 5.5 PowerShell Plugin with Kerberos

Hi all,

so I'm tinkering around with the PowerShell plugin.

I successful connected Orchestrator to a Win2k8R2 via a shared Kerberos connection (http) using administrator@mylab.local however I also created a DomainUser (member of Domain-Admin group) called power@mylab.local but using this user as the one that connects to the powershell host fails with Access Denied

I checked from another Windows host in the domain that I can use winrm with the power user:

winrm id -r:scripting.mylab.local -a:Kerberos -u:power@mylab.local

So the question is: What do I need to do to get the power user to be able to be configured for the Shared Connection

Error message in Orchestrator

Cannot find [XPath: //w:Selector[@Name='ShellId']] in <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">  <s:Header>    <a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action>    <a:MessageID>uuid:C0E368FE-D62F-47E6-B637-BFB956813C31</a:MessageID>    <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>    <a:RelatesTo>uuid:F2AE72F0-1C6D-4FCE-9BA7-86882871F19B</a:RelatesTo>  </s:Header>  <s:Body>    <s:Fault>      <s:Code>        <s:Value>s:Receiver</s:Value>        <s:Subcode>          <s:Value>w:InternalError</s:Value>        </s:Subcode>      </s:Code>      <s:Reason>        <s:Text xml:lang="en-US">Access is denied.</s:Text>      </s:Reason>      <s:Detail>        <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2147942405" Machine="scripting.mylab.local">          <f:Message>            <f:ProviderFault provider="Shell cmd plugin" path="%systemroot%\system32\winrscmd.dll">Access is denied.</f:ProviderFault>          </f:Message>        </f:WSManFault>      </s:Detail>    </s:Fault>  </s:Body></s:Envelope>
 (Dynamic Script Module name : addPowerShellHost#16)

WinRM config (scripting.mylab.local):

• winrm quickconfig
• winrm set winrm/config/service/auth @{Kerberos=”true”}
• winrm set winrm/config/service @{AllowUnencrypted=”true”}
• winrm set winrm/config/winrs @{MaxMemoryPerShellMB=”2048?}
• winrm s winrm/config/client @{TrustedHosts="vro"}
• reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Kerberos Config (vro.mylab.local) /usr/java/jre-vmware/lib/security/krb5.conf

[libdefaults]        default_realm = MYLAB.LOCAL
udp_preferences_limit = 1
[realms]        MYLAB.LOCAL = {                kdc = addns.mylab.local                default_domain = mylab.local        }
[domain_realms]   .mylab.local=MYLAB.LOCAL    mylab.local=MYLAB.LOCAL
[logging]    kdc = FILE:/var/log/krb5/krb5kdc.log    admin_server = FILE:/var/log/krb5/kadmind.log    default = SYSLOG:NOTICE:DAEMON