Secure vRO PowerShell Host
Certificates can be a pain to configure in Windows and especially when trying to use with WINRM\Powershell. Follow this post to secure Powershell with HTTPS and add a secure “PowerShell Host” to VMware Orchestrator.
What’s Needed
For this setup you will need a Microsoft Active Directory CA setup and configured.
CA Template
For this setup you could use an existing certificate template such as “Web Server” but for this guide we are going to create a template that is active directory integrated making things a little easier.
Create Template
Start by logging into your CA and opening up certifcate templates. You will need to open up MMC add the snapin “Certificate Templates”. Find the template “Web Server” and duplicate.
Let’s rename the template for this purpose and extend the validity peiord if needed.
I selected to have the ability to export the private key. Not really needed but a nice to have.
Change the mininum key size to be at least 2048
Add the required group or users that will be requesting this certificate. I just used ‘Domain Admins’ for this example.
Set to use AD for the request and format it comes in. This allows no additonal information required for the request.
Hit OK to save template
Publish Template
Open up “Certificate Authority” from the start menu and select “Certificate Templates”
And select the template you created in the previous step
Now the certificate template is ready to go
Powershell Host Configuration
Certificate Request
Let’s open up the certificates snapin on our Powershell Host. Run MMC and open Certificates
Now from the local computer personal store request a new certificate
Select Active directory and from the template selection check the template created earlier.
Hit enroll to request and download the new certificate
Document the certficate thumbprint for future steps. Copy into notepad and remove spaces with find and replace.
Bind Certificate to WINRM
We first need to enable WINRM and open firewall rules. Open up a command prompt under administrator and run.
winrm quickconfig -transport:https
If there is only one certificate in the personal certificate store chances are everything is ready to go. Run the following command and verify the the thumbprint matches.
winrm get winrm/config/listener?Address=*+Transport=HTTPS
If it doesn’t match or if you have multiple certificates you will need to run the following commands.
Delete the current HTTPS listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
And now re-create with correct certificate we created. Make sure to use the thumbprint without spaces and verify it gets copied correctly. For some reason I have had issues where a rouge ‘?’ gets added to the thumbprint string. (Note the hostname is in common name format and not FQDN)
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="iaas01";CertificateThumbprint="7c0cdc758bb93d70858e6352225a668eaee66da1"}
Now verify the listener is using the correct certificate.
winrm get winrm/config/listener?Address=*+Transport=HTTPS
If you prefer to allow remote access only from the VMware Orchestrator server run the following command
winrm s winrm/config/client @{TrustedHosts="vro.domain.com"}
If you prefer to open to all remote connections
winrm s winrm/config/client @{TrustedHosts="*"}
We are now ready to add to vRO
Add PowerShell Host
From the vro client start the workflow “Add a PowerShell Host” and enter the information for the PS host. Make sure to use port 5986.
Select HTTPS as the transport type, accept all certificates and make sure kerberos is selected for authentication.
When entering the credentials for the PowerShell user make sure to type in as UPN format ([email protected])
PowerShell host should now be successfully added and ready for some action!
If preferred, you can run the “Validate a PowerShell host” to verify
Leave a comment