How to configure Kerberos Authentication with vRA 7

With vRealize Automation 7, you can now login into the vRA 7 portal without providing credentials. The vRA portal will automatically use the credentials of the user who is logged in into the Windows server or desktop system. This behaviour is called login via Kerberos Authentication (Only supported on Windows Operating Systems).

This blog article describes how to set this up.

  1. I assume that a directory already has been configured. I my case this is a directory of the type Active Directory with IWA (Integrated Windows Authentication)kerberos-howto-directories
  2. Now go to Administration –> Directories Management –> Connectors. Here you can find your Connectors. By default only Password Authentication has been configured.kerberos-howto-connector-password-auth
  3. Click on the Worker link in your connector configuration.kerberos-howto-connector-worker-link
  4. Navigate to the Auth Adapters tab. Here you can see that the KerberosIdpAdapter is Disabled.kerberos-howto-worker-auth-adapters
  5. Click on the KerberosIdpAdapter link and provide the Directory UID Attribute. In my case it is sAMAccountName. Also enable the checkbox “Enable Windows Authentication” and Click “Save”.kerberos-howto-auth-adapter
  6. Now you can see that the KerberosIdpAdapter has been enabled.kerberos-howto-auth-adapter-kerberos-enabled
  7. Go back to the vRA portal where your connector has been configured. As you can see both Authentication Methods “Kerberos and Password” are now available.kerberos-howto-connector-kerberos-auth
  8. Now lets configure the priority of these Authentication Methods. Go to Administration –> Directories Management –> Policies. Here you can see that only the Authentication Method “Password” has been configured for Device Type “Web Browser” in the default_access_policy_set.kerberos-howto-default-policy
  9. Click now on the default_access_policy_set link.kerberos-howto-default-policy-configure
  10. Click on the configured Authentication Method of the Device Type “Web Browser”.kerberos-howto-default-policy-configure-web-browser
  11. Change the policy rule by configuring kerberos as the primary authentication method and configure password as the fallback authentication method. Next save the updated policy rule. default_access_policy_set.kerberos-howto-default-policy-edit-rule-fallback
  12. Now you can see that the Authentication Method of the Device Type “Web Browser” has been configured for Kerberos. Click Save again.kerberos-howto-default-policy-updatedkerberos-howto-default-policy-updated-2
  13. Go to Administration –> Directories Management –> Identity Providers. Click on the Identity Provider link. In my case WorkspaceIDP__1kerberos-howto-identity-provider
  14. Click on the Identity Provider link. In my case WorkspaceIDP__1 and find the configured IdP Hostname. Remember the IdP Hostname because you need it to configure your web browsers.kerberos-howto-idp-hostname
  15. Finally we need to configure the web browser for kerberos authentication. For Internet Explorer and Google Chrome do the following. Open Internet Explorer and go to Internet Options and select the Security Tab.kerberos-howto-internet-explorer-kerberos-1
  16. Select Local Intranet and click Sites.kerberos-howto-internet-explorer-kerberos-2
  17. Click Advanced and Click Add this website to the zone. The configured IdP Hostname is expected in here. Click Close.
    kerberos-howto-internet-explorer-kerberos-3b
  18. Now close your Internet Explorer and Google Chrome Web Browsers and test your vRA Portal with kerberos authentication.kerberos-howto-internet-explorer-kerberos-loginkerberos-howto-google-chrome-kerberos-login
  19. For the Firefox Web Browser it works a little bit different. Open Firefox and type in the address bar “config:about“. Click on the button “I’ll be careful, I promise!”.kerberos-howto-firefox-about-config
  20. In the search bar type “network.negkerberos-howto-firefox-search-network.neg
  21. Populate the Preference Name “network.negotiate-auth.trusted-uris” with the configured IdP Hostname.kerberos-howto-firefox-network.neg-1kerberos-howto-firefox-network.neg-2
  22. Now close your Firefox Web Browser and test your vRA Portal with kerberos authentication.kerberos-howto-firefox-kerberos-login

How to configure “Connect using SSH” for Linux virtual machines with vRA 7

With vRealize Automation you can configure an Action (Day 2 Operation) named “Connect using SSH”. This blog article describes how to set this up.

connect-using-ssh-vra7-action

First you need to include the action “Connect using SSH” into your entitlement.

connect-using-ssh-vra7-entitlement

Next you need to assign the following custom properties to your blueprint.

VMware.VirtualCenter.OperatingSystem = centos64Guest
Machine.SSH = True

In my example I am going to use CentOS 6.3. The value of custom property VMware.VirtualCenter.OperatingSystem must be the corresponding VirtualMachineGuestOsIdentifier which is in this scenario centos64Guest

I am using a Property Group named CentOS for this, which contains the required custom properties. This Property Group is added to my blueprint.

connect-using-ssh-vra7-property-group

connect-using-ssh-vra7-property-group-blueprint

This should be all and we can test this functionality now. However if your web browser is now aware of SSH you will end up in the following situation.

connect-using-ssh-vra7-browser-not-aware-off-ssh

To fix this we have a couple of options.

Fix 1: Using a web browser addon like FireSSH

https://addons.mozilla.org/en-US/firefox/addon/firessh/

After installing FireSSH for my FireFox web browser you will see the following when you click on the vRA Action “Connect using SSH”.

connect-using-ssh-vra7-firessh-1

connect-using-ssh-vra7-firessh-2

connect-using-ssh-vra7-firessh-3

Fix 2: Using a SSH client like KiTTY

http://www.9bis.net/kitty/

http://www.fosshub.com/KiTTY.html

After downloading KiTTY you need to register it as a sshhandler like the below screenshot.

connect-using-ssh-vra7-kitty-sshhandler

Now you can you can click again on the vRA Action “Connect using SSH”. This time you will see the following.

connect-using-ssh-vra7-kitty-1

connect-using-ssh-vra7-kitty-2

connect-using-ssh-vra7-kitty-3