Kerberos Authentication Support for Unix and Linux computers
System Center Operations Manager version 1801 communicates with UNIX and Linux computers using the Secure Shell (SSH) protocol and Web Services for Management (WS-Management). Agent actions such as agent install, uninstall, and update occur over SSH and require a privileged account. Agent discovery and Monitoring utilize WS-Management and only require a low privileged account.
Operations Manager can now support Kerberos authentication wherever the WS-Management protocol is used by the Management Server to communicate with UNIX and Linux computers. Adding Kerberos support for UNIX and Linux computers provides greater security by allowing the Management Server to no longer need to enable basic authentication for Windows Remote Management (WinRM).
Operations Manager Unix and Linux Kerberos Support by Activity
|Activity||Protocol||Support for Kerberos|
UNIX and Linux Monitoring with Operations Manager is supported on a number of operating systems.
The following subset of those operating systems now support WS-Management communication over Kerberos: (Only the most recently released version of each distribution will be supported.)
|Red Hat Enterprise Linux Server||6|
|Red Hat Enterprise Linux Server||7|
UNIX or Linux agent must be domain joined.
Run as accounts must be configured to use domain-based accounts that are associated with the appropriate Unix/Linux Run As Profile.
Enabling Kerberos authentication assumes all UNIX and Linux agents communicating with the management server support Kerberos. Mixed mode authentication where some agents use basic authentication and others leverage Kerberos is not supported.
Steps to enable Kerberos Authentication on a management server
Open the Operations console with an account that is a member of the Operations Manager Administrators role.
Select Monitoring > Data Warehouse > Collection Servers > Management Server Name.
In the right-hand task pane, select Enable Linux Authentication Type
This task will enable/disable Kerberos authentication for Linux monitoring on the management server.
The task sets the registry entry Authentication at the following location:
HKLM:\Software\Microsoft\Microsoft Operations Manager\3.0\Setup\Linux Auth to Kerberos.
Repeat the above steps on all management servers that communicate with UNIX or Linux agents.
Verify Kerberos Authentication via Console
To validate that Kerberos authentication is working successfully from the Operations Manager console:
Click Monitoring > UNIX/Linux Computers > Select a UNIX or Linux computer
In the right-hand Task pane, select Memory Information.
Confirm that the task runs successfully.
Verify Kerberos Authentication from the Command Line
To validate Kerberos authentication between a management server and a UNIX or Linux agent from the command line, perform the following:
Launch a command prompt as administrator from the management server, and run the script below while substituting the applicable information for servername, username, and password.
winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -r:https://<UNIX/Linux servername>:1270 -u:<firstname.lastname@example.org> -p:<password> -auth:Kerberos -skipcacheck -skipcncheck -encoding:utf-8
Verify the output indicates the command was successful.