logo

Experience in calling Poweshell Scripts from vRealize Orchestrator

Over the weekend, I’ve been trying to call Powershell scripts using vRealize Orchestrator.

Quick google yielded the following:

http://blogs.vmware.com/orchestrator/2011/12/vco-powershell-plug-in.html

I’ve followed the blog and was able to successfully call the script WITH one exception:  every time i started calling resource outside of the WINRM host from the ps script – it kept on failing. One example is  –  Adding DNS which required to call the Domain controller.

Another google and found this AWESOME article from Spas:

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

TLDR:

Basically, you need to use CredSSP to impersonate calls. Since vRO, currently, does not support this – you need to configure the WinRM server to allow CredSSP/ Impersonation and call the script using CredSSP.

The following items needs to be enabled in the WinRM Host:
Go to gpedit.msc -> Choose Enabled for the items and add the following in the allowed servers: WSMAN/*.<your  domain>

2016-03-29_14-14-37

 

  1. Alan van Wyk Reply

    That leaves a bit of a security loophole, but is clearly the simplest method.
    I have gotten around this slightly differently – I have set up an SSH server on the Windows box that I use as a Powershell host and use SSH to hit the Windows box and kick off locally hosted Powershell scripts.
    Since they are executed locally, they don;t suffer from the 2 Hop security issue found when bouncing through WinRM Hosts.
    Sadly, it is not prettier than a blanket enabling of the policy above (and I have to handle code execution and credentials on the Powershell host)

Leave a Reply to Alan van Wyk Cancel reply

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.