How does winrm kerberos delegate selection and command execution works

Harness Experts
1

Harness uses pywinrm library for winrm kerberos connection, So to run any command using winrm/kerberos there are two parts involved in it:

  1. TGT generation using kinit
  2. Command execution

How delegate is selected:
Delegate will try to create TGT using kinit command and each delegate who has access to create the tgt will be eligible for delegate selection to execute the command.
Then finally one of the delegate will be selected to run the actual command.

We have seen in some special case that a delegate was having access to create tgt successfully but do not have permission to run the command so in those scenario we might see error (Failed to establish a new connection/Can’t find client principal user@domain in cache collection) after tgt generation was successful but command fails.

Below is the sample command you can run to test and verify if your delegate has both access:

from winrm.protocol import Protocol
import sys

def run_command(endpoint, username, server_cert_validation, command, environment, workingDir, timeout):
    p = Protocol(
        endpoint=endpoint,
        transport='kerberos',
        username=username,
        server_cert_validation=server_cert_validation,
        operation_timeout_sec=timeout,
        read_timeout_sec=timeout + 10)

    shell_id = p.open_shell(env_vars=environment, working_directory=workingDir)
    command_id = p.run_command(shell_id, command)
    std_out, std_err, status_code = p.get_command_output(shell_id, command_id)
    if status_code == 0:
        sys.stdout.buffer.write(std_out)
        p.cleanup_command(shell_id, command_id)
        p.close_shell(shell_id)
    else:
        sys.stdout.buffer.write(std_err)
        p.cleanup_command(shell_id, command_id)
        p.close_shell(shell_id)
        sys.exit(1)

run_command('https://windowshost.com:5986/wsman','username@domain','ignore','dir',{},'%TEMP%',10000)

Output for successful execution:

 Volume in drive C has no label.
 Volume Serial Number is xxxxx



 Directory of C:\Users\username\AppData\Local\Temp



04/27/2021  01:07 PM    <DIR>          .

04/27/2021  01:07 PM    <DIR>          ..

04/27/2021  01:08 PM    <DIR>          2

               0 File(s)              0 bytes

               3 Dir(s)  190,836,162,560 bytes free

And below is output for one of the failure:

kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ("Can't find client principal user@domain in cache collection", -1765328243))
3 Likes