VMware Cloud Community
chavez9119
Contributor
Contributor
‎09-16-2010 09:51 AM
Jump to solution

Active Directory Authentication via Host profile

I am trying to use apply a host profile via powershell script that will add an esxi host to my active directory domain.

$vCenter = Read-Host "Enter vCenter"

$esxhost = Read-Host "Enter FQDN of the ESXi host"

$ADdomaincreds = $host.ui.PromptForCredential("Enter Credentials", "Please enter your Active Directory username and password.", "", "")

$hostprofile = Read-Host "Enter HostProfile to apply"

#CONVERT SECURESTRING

$CONVERT_AD_PASSWORD = http://System.Runtime.InteropServices.Marshal::SecureStringToBSTR($ADdomaincreds.Password)

$AD_PASSWORD = http://System.Runtime.InteropServices.Marshal::PtrToStringAuto($CONVERT_AD_PASSWORD)

Connect-VIServer $vCenter

$hostprof = Get-VMHostprofile -Name $hostprofile

$applyhost = Get-VMHost $esxhost

Set-VMHost -VMHost $applyhost -State "maintenance"

$additionalConfiguration = Apply-VMHostProfile -ApplyOnly -Profile $hostprof -Entity $applyhost -Confirm:$false

$additionalConfiguration = $ADdomaincreds.username

$additionalConfiguration= $AD_PASSWORD

$additionalConfiguration = Apply-VMHostProfile -Profile $hostprof -Entity $applyhost -Variable $additionalConfiguration -Confirm:$false

It runs with no errors but when I look at the esxi host it still says it is using Local Authentication. If I apply the host profile via the VI Client, it works with no issue. Is there anything else I need to set in the variable?

I have also tried using LucD's Set-VMHostADDomain function. That works, however, if I then apply my host profile to finish configuring the other components such as syslog, ntp, etc, the authentication gets reset to local authentication after a reboot.

0 Kudos
1 Solution

Accepted Solutions
nnedev
VMware Employee
VMware Employee
‎11-12-2010 06:55 AM
Jump to solution

Hi,

There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.

The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.

Here are the possible workarounds:

1. Join the domain without using the host profile functionality. Here is a simple script that can do that for you:

function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) {
   $vmhostView = Get-View -id $vmhost.ID
   $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager
   $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' }
   $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef
   $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword)
}

2. Implement host profiles solution with direct API calls (Get-View)

Let me know if you need anything else.

Regards,

Nedko Nedev

PowerCLI Development Team

Regards, Nedko Nedev PowerCLI Development Team

View solution in original post

0 Kudos
5 Replies
LucD
Leadership
Leadership
‎09-16-2010 01:37 PM
Jump to solution

The host profile you are using obviously was not created from a host that was already joined to an AD domain.

That is why you're back to local authorisation after you apply the profile.

The -Variable parameter on the Apply-VMHostProfile cmdlet should be used to pass values for any variables in the host profile. For example the name of the domain to join, the account and password to perform the join...

And this parameter expects a hash table, not a simple variable.

I have to admit that host profiles from PowerCLI are not completely clear to me yet Smiley Sad

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
chavez9119
Contributor
Contributor
‎09-16-2010 07:32 PM
Jump to solution

So I changed my script to use a hashtable

$additionalConfiguration = @{

'authentication.activeDirectory.ADUserNamePolicy.userName' = $ADdomaincreds.username

'authentication.activeDirectory.ADPasswordPolicy.password'= $AD_PASSWORD

}

$additionalConfiguration = Apply-VMHostProfile -Profile $hostprof -Entity $applyhost -Variable $additionalConfiguration -Confirm:$false

It still didnt add it to the domain. I then changed my host profile so that it would also need my vmotion IP because I wanted to see if any of these variables would work.

$additionalConfiguration = @{

'network.hostPortGroup.ipConfig.IpAddressPolicy.address' = '192.168.199.11'

'network.hostPortGroup.ipConfig.IpAddressPolicy.subnetmask' = '255.255.255.0'

'authentication.activeDirectory.ADUserNamePolicy.userName' = $ADdomaincreds.username

'authentication.activeDirectory.ADPasswordPolicy.password'= $AD_PASSWORD

}

When I ran it with this, it successfully set my VMotion IP but still no success with adding to the domain.

0 Kudos
LucD
Leadership
Leadership
‎09-17-2010 12:26 PM
Jump to solution

I have been playing with the ExecuteHostProfile method from the SDK to get the AD authentication configured, but to no avail.

Then I tried from the vSPhere client, while using Onyx, to see what methods were used. But even with the vSphere client setting up AD Authentication doesn't work.

I was prompted for a user/password to perform the join but the form just stayed there and nothing happened.

And in Onyx I saw the following method call coming through

$hostParam = New-Object VMware.Vim.ManagedObjectReference
$hostParam.type = "HostSystem"
$hostParam.value = "host-26622"

$_this.ExecuteHostProfile($hostParam, $null)

which is definitely incorrect since the 2nd parameter should hold the values provided through the user prompt and not $null!

I'm pretty sure we're looking at a bug here. Smiley Sad

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
nnedev
VMware Employee
VMware Employee
‎11-12-2010 06:55 AM
Jump to solution

Hi,

There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.

The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.

Here are the possible workarounds:

1. Join the domain without using the host profile functionality. Here is a simple script that can do that for you:

function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) {
   $vmhostView = Get-View -id $vmhost.ID
   $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager
   $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' }
   $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef
   $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword)
}

2. Implement host profiles solution with direct API calls (Get-View)

Let me know if you need anything else.

Regards,

Nedko Nedev

PowerCLI Development Team

Regards, Nedko Nedev PowerCLI Development Team
0 Kudos
m_pieters
Contributor
Contributor
‎04-25-2013 11:49 AM
Jump to solution

Is this issue fixed in 5.1 ?

There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.

The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.

0 Kudos