VMware Cloud Community
GalNeb
Enthusiast
Enthusiast

connect-viserver not passing thru user credentials in Windows 2016

I have been fighting this for quite some time.  When I run "connect-viserver servername" it will prompt me for the logon credentials in our Windows 2016 jump box, but it works just fine in our older 2008 jump boxes.  PowerCLI is the latest version on both, so is our VCSA 6.5, external PSC.  Both the VCSA and PSC are joined to the domain.

I have boiled this down to an encryption problem.  Due to DOD STIG (security) requirements, the registry key HKLM/software/microsoft/windows/currentversion/policies/system/kerberos/parameters/SupportedEncryptionTypes is different in Windows 2016.  in 2016 it is 7ffffff8, in 2008 it is 7ffffffc.  Changing this value fixes the problem.  This bit change controls RC4-HMAC.  In other words, we have to enable RC4-HMAC to allow PowerCLI to properly pass thru the credentials.  This is not acceptible on soooo many levels.

How do we get PowerCLI to properly passthru credentials without enabling RC4-HMAC?

Old enough to know better, young enough to try anyway
9 Replies
LucD
Leadership
Leadership

In the about_server_authentication help page, the authentication process is described.

The order:

  • User-Password/Credential
  • A single CredentialStoreItem
  • SSPI

It's the last one (SSPI) that requires RC4-HMAC (see RFC 4757).

And that is a Microsoft thing afaik, not something specific to PowerCLI.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
GalNeb
Enthusiast
Enthusiast

yes, the SSPI is failing because RC4-HMAC is turned off by the Registry key.  So the question is how to make this work without using a protocol that is deemed unsecure by about everyone in the world.
Old enough to know better, young enough to try anyway
Reply
0 Kudos
LucD
Leadership
Leadership

As I see it, this is more of a feature request than an issue.

In Windows environment the Connect-VIServer cmdlet has been using the SSPI mechanism provided by the OS.

Since it is deemed insecure, that SSPI mechanism is disabled by many.

So it will not work anymore.

And there is no solution to still provide SSPI and avoid the insecure mechanism afaik.

The same is true when you run that same Connect-VIServer on other platforms than Windows.

I would suggest to launch a new idea for this request on the PowerCLI Ideas site.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
GalNeb
Enthusiast
Enthusiast

I did as you suggested and created a request on the PowerCLI site in early October.  Now end of December and there has been no response from anyone on the PowerCLI team.  I don't know if they are paying any attention to that suggestion site or not.

Old enough to know better, young enough to try anyway
Reply
0 Kudos
LucD
Leadership
Leadership

There are quite a number of ideas on that site, and not all of them have the same number of people backing them (votes).
And most probably some of these ideas require serious resources to implement.

The PowerCLI Team does implement some of these over time, but it depends on several factors.

You could try to contact the PowerCLI PM directly and plead your case.
Are you on VMware{code} Slack in the PowerCLI channel?

The PM is on there as well.
Otherwise reach out via your TAM.

I'm not working for VMware, so I can't use any of their internal channels I'm afraid.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
ChuckVA
Contributor
Contributor

Me Too

RC4-HMAC disabled.

Windows 2012

SSPI Kerberos Error Code : 0x80090342

Better yet (worse),  I am not able to authenticate with Smart Card (CAC)

User name and password required.

Reply
0 Kudos
Sanjuro
Contributor
Contributor

GalNeb,

Same environment and same issue. The fix was a combination of things:

The AD accounts for both your 2016 jumpboxes, your vCenter and PSC must be set to allow for Kerberos authentication encryption in AD. This is also required for your service/user accounts. The user accounts are easy to do. All you have to do for them is open up the account properties and click on the account tab. In the Account options scroll down and click the boxes for "This account supports Kerberos AES 128bit encryption." and "This account supports Kerberos AES 256 bit encryption." That's it for the users. The AD accounts need to be done with powershell Below is the check script and the fix script:

Check:

Get-ADComputer -filter * -SearchBase "OU="your OU",DC="Your domain path"" -Properties msDS-SupportedEncryptionTypes,KerberosEncryptionType | select Name,msDS-SupportedEncryption TypesKerberosEncryptionType | sort msDS-SupportedEncryptionTypes | FT

The output will list the computer objects in your OU and their Kerberos Encryption type. When you create a computer account manually this creates a blank value in this field so you have to run the bottom command to set them to AES 128 and AES 256

Set-ADComputer -Identity "YourComputerName" -Replace @{"msDS-SupportedEncryptionTypes"="24"}

I'm sure LucD​ could come up with a script for multiple systems. If you set the above value to "28" then that will forcefully include AES128, AES 256 and RC4. "24 is just the AES 128 and 256.

You need to make sure you make this change to the jumpbox and the vCenter and PSC appliance AD computer accounts.

Hope this helps. It was the fix for our stuff.

Sanjuro
Contributor
Contributor

I made a mistake in the check script in the select fields area. It should read:

Select Name, msDS-SupportedEncryptionTypes , KerberosEncryptionType

Reply
0 Kudos
mercerc1
Contributor
Contributor

Thank you! I was dealing with this same thing after STIG settings (security hardening) were applied to my workstation.  By the way, in my testing this only needs to be set on the vCenter computer object in AD (not the users).  It can be done with PowerShell like you describe:

Set-ADComputer -Identity <vCenter_Svr> -Replace @{"msDS-SupportedEncryptionTypes"="24"}

However, it can also be done using Active Directory Users & Computers (ADUC) using the Attribute Editor tab of the computer object properties (ADUC must have 'Advanced Features' selected in the View menu).

Reply
0 Kudos