Create WinRM Connection Using Kerberos

Updated 3 weeks ago by Chakravarthy Tenneti

Harness supports WinRM authentication using Kerberos, enabling you to connect to a target host via the Kerberos protocol. For a quick Kerberos summary, see Explain like I’m 5: Kerberos by Lynn Root.

In this topic:

Before You Begin

Step 1: Add SPN to the Active Directory Server

Make sure you add the Service Principal Name to the Active Directory as follows using the setspn command:

WSMAN/<Fully Qualified Domain Name>@<REALM>
HTTP/<Fully Qualified Domain Name>@<REALM>
HTTP/<Fully Qualified Domain Name>
WSMAN/<Fully Qualified Domain Name> 

For more information about setting the SPN using the setspn command, see Microsoft’s Setspn documentation.

For example, if the fully qualified domain name is 221.213.188.35.bc.googleusercontent.com and the Realm name is KERBEROS.LOCAL then add the following:

WSMAN/251.200.188.35.bc.googleusercontent.com@KERBEROS.LOCAL
HTTP/251.200.188.35.bc.googleusercontent.com@KERBEROS.LOCAL    HTTP/251.200.188.35.bc.googleusercontent.com
WSMAN/251.200.188.35.bc.googleusercontent.com

Step 2: Access WinRM Configuration

In Secrets Management, under Execution Credentials, click WinRM Connection.

Click Add WinRM Connection.

The WinRM Connection Attributes dialog appears.

Step 3: Display Name

Name to identify the connection. You will use this name to identify this connection when setting up the Connection Attributes in the environment Service Infrastructure.

Step 4: Auth Scheme

Select Kerberos.

Step 5: Username

Username is a string that names a specific entity to which a set of credentials may be assigned. Enter the account name associated with the Kerberos account, such as johndoe.

Step 6: Domain

Domain is the logical network served by a single Kerberos database and a set of Key Distribution Centers (KDCs). This is where the service (that the user is trying to authenticate with) is located.

For example: US-EAST-2.COMPUTE.INTERNAL.

The target hosts that your WinRM connection is intending to authenticate with via Kerberos are located in a domain name with the same name you enter in Domain.

For example, ip-172-31-44-168.us-east-2.compute.internal. The domain naming convention is all uppercase letters to differentiate the domain from the internet domain, but the Domain field does not enforce the convention.

Step 7: TGT Generation

You can choose this option to generate a new TGT from the KDC every time you authenticate with the service. This ensures that the TGT is always valid and not expired when you try to authenticate.

Select one of the following options:

  • Key Tab File Path (on Delegate) - Enter the path to the KeyTab present in the Delegate for TGT generation.
  • Password - Enter a password for TGT generation. 

Step 8: Keytab File Path

This field is displayed if you select Key Tab File Path for TGT Generation. Enter the file path to the keytab file on the server running the Harness Delegate. For example, /home/johndoe/a.keytab. The file is not uploaded to Harness.

To use the Kerberos WinRM connection to connect to a target host, you select it in WinRM Connection Attributes while specifying the target host in the Service Infrastructure/ Infrastructure Definition settings of an environment.

In this example, the target host that you want to use Kerberos authentication with is entered in Host Name(s).

Note that the domain name used to identify the hosts in the Host Name(s) field is likely to be the same as the domain name you entered in Domain when configuring the WinRM connection.

The Host Name cannot be an IP address and it should be a domain name. The connection will not succeed if it is an IP address.

Step 9: Test the Connection

Click Test to ensure that the connection is successful. Once the connection is successful, click Submit.


How did we do?