VMware Cloud Community
inshsr
Contributor
Contributor

The vCenter Server is unable to decrypt passwords stored in the customization specification.

Hi

I am experiencing a strange phenomenon with OSCustomzation Specs which seems directly related to the PowerCLI version you use.

The problem arises in two fully separate vSphere environments (5.1U1 and 5.5U1) and on different computers (PowerCLI installations).

Below is a simple test script to isolate the problem.

$ServiceInstance    = Get-View ServiceInstance

$SessionManager     = Get-View $ServiceInstance.Content.SessionManager

# Set language for current session

$SessionManager.SetLocale("en_US")

$VCenter = Connect-VIServer -Server vcenter.mycompany.com

$VMName  = 'srvtest.mycompany.com'

$VMHost  = 'sidesx52.mycompany.com'

Remove-OSCustomizationSpec 'tmp01' -Confirm:$false

$OCSpec = New-OSCustomizationSpec -OSCustomizationSpec 'cs-abti-w2k12r2-64' -Name 'tmp01' -Type NonPersistent

#$OCSpec = Get-OSCustomizationSpec 'cs-abti-w2k12r2-64' | New-OSCustomizationSpec -Name 'tmp01' -Type NonPersistent

#$OCSpec = New-OSCustomizationSpec -Name 'tmp01' `

#   -FullName 'Abt. I' `

#   -OrgName 'MyCompany' `

#   -OSType 'Windows' `

#   -AdminPassword 'Test-1234' `

#   -Type NonPersistent `

#   -ChangeSid `

#   -Workgroup 'MYCOMPANY' `

#   -ProductKey 'XXXXX-XXXXX-XXXXX-XXXXX-XXXXX' `

#   -LicenseMode PerSeat `

#   -NamingScheme Fixed `

#   -NamingPrefix 'srvtest' `

#   -DnsSuffix 'mycompany.com' `

#   -Description 'Test Deployment' `

#   -TimeZone 100

  

# Update Spec with our desired IP information

Get-OSCustomizationNicMapping -Spec $OCSpec |

  Set-OSCustomizationNicMapping -IPmode UseStaticIP `

  -IpAddress '10.0.56.99' `

  -SubnetMask '255.255.255.0' `

  -DefaultGateway '10.0.56.1' `

  -Dns '10.0.37.53', '10.0.37.54'

# Change the OS Name (for Windows this is the Netbios Name)

$OCSpec = Set-OSCustomizationSpec -OSCustomizationSpec $OCSpec -NamingScheme Fixed -NamingPrefix 'srvtest' -DnsSuffix 'mycompany.com'

# Change the Administrator Password

$OCSpec = Set-OSCustomizationSpec -OSCustomizationSpec $OCSpec -AdminPassword 'Test-1234'

# Get Template to deploy from

$VMTemplate = Get-Template -Name 'tpl-win-2k12r2-64'

# Get VMHost to deploy new VM on

$VMHost = Get-VMHost -Name $VMHost

$newVM = New-VM -Name $VMName `

  -Datastore 'nfs_c105_2-AbtI_DMZ_s0_wds02' `

  -VMHost $VMHost `

  -Location (Get-Folder 'Test') `

  -ResourcePool '02-RP-DMZ-Abt.I' `

  -Template $VMTemplate `

  -Description 'Test VM Deployment' `

  -DiskStorageFormat 'thin' `

  -OSCustomizationSpec $OCSpec

Get-VM -Name $VMName | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName "vDPG-DMZ-056" -StartConnected:$true -Confirm:$false | Out-Null

When I execute this sample under VMware-PowerCLI-5.5.0-1295336 (or lower) it works fine. VM is created and OS Customization is applied. The VM reboots two or three times and everything is fine.

If I execute the same code under PowerCLI version higher than 5.5.0-1295336 (e.g. VMware-PowerCLI-5.8.0-2057893) it fails with the following error:

New-VM : 04.12.2014 16:11:14    New-VM        The operation for the entity "tpl-win-2k12r2-64" failed with the following message: "The vCenter Server is unable to decrypt passwords stored in the customization specification."

At I:\Abt-I\Virtual Infrastructure\Scripts\TestDeploy.ps1:49 char:16

+ $newVM = New-VM <<<<  -Name $VMName `

    + CategoryInfo          : NotSpecified: (:) [New-VM], CannotDecryptPasswords

    + FullyQualifiedErrorId : Client20_TaskServiceImpl_CheckServerSideTaskUpdates_OperationFailed,VMware.VimAutomation.ViCore.

   Cmdlets.Commands.NewVM

The VM is created (cloned) but at the end of the process the above error is thrown and the OS customization spec is not applied.

If I comment the following line in the code everything works fine on PowerCLI version higher than 5.5.0-1295336. The customization then uses the password from the OS customization spec.

$OCSpec = Set-OSCustomizationSpec -OSCustomizationSpec $OCSpec -AdminPassword 'Test-1234'

But our real deployment script is much more complex and we do set the AdminPassword from another source than the OS customization spec. So the password in the OS customization spec is just a dummy value for us.

Believe me I have played around hours for identifying the problem but no luck so far. It seems that setting the AdminPassword manually in the object screws something up. I have read a lot about encryption of the passwords and maybe the root cause is somewhere in this direction.

If I build the whole OS customization spec ($OCSpec) from scratch/manually (large commented block near the beginning of the code) everything works fine including the correct AdminPassword set in the VM.

The problem seems to arise only when cloning an existing OS customization spec and then changing the AdminPassword. And I don't want to do it manually when there is the functionality available.

And not to forget: Up to PowerCLI version 5.5.0-1295336 everything works fine. So there must be a change in PowerCLI which causes this behaviour. I get the feeling that it is a bug in PowerCLI.

Any idea what changed?

Regards,
Oliver


Reply
0 Kudos
2 Replies
LucD
Leadership
Leadership

You're not the only one seeing this, see Set-VM The vCenter Server is unable to decrypt passwords stored in the customization specification e...

Does it make a difference when you make the OSCustomizationSpec persistent ?

Does it also give this error when the password only contains alphanumeric characters ?

When you export the OSCustomizationSpec to XML, what does it say for the PlainText tag; true or false ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

inshsr
Contributor
Contributor

Hi LucD

Your pointers were very helpful and I was able to further narrow down (work around) the problem.

You're not the only one seeing this, see Set-VM The vCenter Server is unable to decrypt passwords stored in the customization specification e...

Does it make a difference when you make the OSCustomizationSpec persistent ? YES (it works)

Does it also give this error when the password only contains alphanumeric characters ? YES

When you export the OSCustomizationSpec to XML, what does it say for the PlainText tag; true or false ? As far as I remember it is TRUE

OK. If I make the OS customization spec Persistent everything works fine even with PowerCLI version above 5.5.0-1295336 (in my case 5.8).
No error and the VMs are correctly customized.
Even the password which I change from script with

$OCSpec = Set-OSCustomizationSpec -OSCustomizationSpec $OCSpec -AdminPassword 'Test-1234'


is set correctly.


So this clearly shows that the problem only exists when using the NonPersistent option for cloning the OS customization spec on PowerCLI version above 5.5.0-1295336.

As a workaround I can use Persistent and use a specific name or GUID for the temporary OS customization spec. But even if I remove the temporary OS customization spec at the end of my script it still can happen that the script crashes and leaves the temporary OS customization spec in vCenter (Customization Specifications Manager). Not nice!

Anyway, in case an Admin/Operator has only Read-Permissions for OS customization specs this workaround is not going to work.

Therefore, I really would prefer the NonPersistent type but as it seems it is broken above PowerCLI 5.5.0-1295336.

I consider opening a case at VMware. They should look at this.

Regards,

Oliver

Reply
0 Kudos