brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ahgittin <...@git.apache.org>
Subject [GitHub] brooklyn-docs pull request: Details about using CredSSP in Windows
Date Mon, 28 Mar 2016 10:18:10 GMT
Github user ahgittin commented on a diff in the pull request:

    https://github.com/apache/brooklyn-docs/pull/36#discussion_r57560080
  
    --- Diff: guide/yaml/winrm/index.md ---
    @@ -289,11 +289,25 @@ When a script is run over WinRM, the credentials under which the
script are run
     solution is to obtain a new set of credentials within the script and use those credentials
to 
     required commands.
     
    -Certain Windows registry keys must be reconfigured in order to support re-authentication.
For 
    -clouds that support an init script, Brooklyn can take care of this at instance boot time,
as part 
    -of the setup script. For clouds where an init script is not (currently) supported, such
as Azure, 
    -it is assumed that the VM is already correctly configured. Please ensure that Brooklyn's
changes 
    -are compatible with your organisation's security policy.
    +The WinRM client uses Negotiate+NTLM to authenticate against the machine.
    +This mechanism applies certain restrictions to executing commands on the windows host.
    +
    +For this reason you should enable CredSSP on the windows host which grants all privileges
available to the user.
    + https://technet.microsoft.com/en-us/library/hh849719.aspx#sectionSection4
    +
    +To use `Invoke-Command -Authentication CredSSP` the Windows Machine has to have:
    +- Up and running WinRM over http. Notice that we support winrm over https but for Invoke-Command
to work it needs up and running winrm over http.
    +  Apache Brooklyn can winrm over https but if the install script has inside it `Invoke-Command
-Authentication CredSSP` then winrm over http has to be enabled as well.
    +- Added trusted host entries which will use Invoke-Command
    +- Allowed CredSSP
    +
    +All the above requirements are enabled in Apache Brooklyn through [brooklyn-server/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1](https://github.com/apache/brooklyn-server/blob/master/software/base/src/main/resources/org/apache/brooklyn/software/base/custom-enable-credssp.ps1)
    +script which enables executing commands with CredSSP in the general case.
    +The script works for most of the Windows images out there version 2008 and later.
    +
    +Please ensure that Brooklyn's changes are compatible with your organisation's security
policy.
    --- End diff --
    
    [nit] US English `s/s/z/`


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message