VMware Cloud Community
StefanSpecht
Contributor
Contributor
‎11-22-2013 08:03 AM

Using Credentials within PowerShell-Plugin script

Hi all,

I'm just trying to get my first workflow to run, but already stuck....

I would like to call a powershell script that uses the NetApp cmdlet "Connect-NAServer" wich needs a PSCredential as input.

I'm using the following code to generate the PS script:

script = " \n"

+ "Import-Module 'DataOntap' \n"

+ "$NAUser = '" + NAUser + "' \n"

+ "$NAPass = '" + NAPassword + "' | ConvertTo-SecureString -AsPlainText -Force \n"

+ "$NAControllers = @(" + NAControllers + ") \n"

+ "$NAcred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $NAuser,$NApass \n"

+ "ForEach ($NAController in $NAControllers) { \n "

+ "Connect-NaController $NAController -HTTP -Credential $NAcred \n"

+ "} \n";

After that I call the script as follows:

try {

session = PSHost.openSession();

output = System.getModule("com.vmware.library.powershell").invokeScript(PSHost,script,session.getSessionId()) ;

} finally {

if (session){

  PSHost.closeSession(session.getSessionId());

}

}

NAPassword is an attribute of the workflow, linked to a configuration element (of type SecureString).

This always results in this error: "System.Security.Cryptography.CryptographicException: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation."

I already tried to enable delegation in AD for the powershell host. ("Trust this computer for delegation to any service (Kerberos only)"), but still no luck.

Any ideas, what is happening here?

Regards, Stefan

P.S.: The connection the the powershell host is configured to use kerberos authentification - shared authenticaiton.

0 Kudos
7 Replies
Installpac
Contributor
Contributor
‎11-24-2013 04:16 PM

a bunch of people are having similar issues which are UAC related. check my answer in this post to determine if your access levels are UAC bound.

https://communities.vmware.com/message/2316356#2316356

0 Kudos
StefanSpecht
Contributor
Contributor
‎11-27-2013 10:15 AM

Thanks for your answer!

UAC is disabled on all our systems. So I don't think it can be related to it.

Stefan

0 Kudos
Manupa
Enthusiast
Enthusiast
‎12-02-2013 08:31 AM

Hi,

I often ran powershell scripts from my workflows and it's a mess. The powershell plugin never works as you want.

What are you planning to do? call a powershell script directly and parse some paramters to it?

From my point of view it is not a vCO realted issue, you should post this to a powershell forum.

Are you allowed to start the script remotely from any other windows client?

What I do is call a cmd and parse parameters to it first and then call the powershell script locally from the cmd.

This works for me fine and never had problems after doing this.

Benefit is quiet simple, if you run a process on the guest os by vcenter api, you don't need a trusted user which is going to authenticated. you just need local permissions to start the process.

Manuel

0 Kudos
igaydajiev
VMware Employee
VMware Employee
‎12-02-2013 08:55 AM

As Manupa mentioned most likely it is not vCO related but it is caused because of powershell remoting is used.

Using powershell remotely has some restrictions especially when dealing with credentials. Common one is so called "double hop" or "multi hop" issue.

You can also check this post that got recently resolved it can provide you with some hints:

https://communities.vmware.com/message/2315592

0 Kudos
QLD
Enthusiast
Enthusiast
‎12-03-2013 07:59 PM

The issue I had was ConvertTo-SecureString using the PSH Plugin - Worked no issue double hopping outside of vCO but after a week of testing I gave up and had read in a few places it isn't supported.

I now use this which works perfectly:

Storing Passwords to Disk in PowerShell with Machine-key Encryption | Tome's Land of IT

0 Kudos
d-fens
Enthusiast
Enthusiast
‎12-17-2013 06:24 AM

Similar to what QLD referred, but a little bit more streamlined and usable: http://d-fens.ch/2013/10/24/vco-powershell-plugin-import-clixml-fails-with-system-security-cryptogra... the advantage is to use the same semantics as you do with 'Import-CliXml' and 'Export-CliXml' and you still end up with a PSCredential object.

function Import-Credential{
  [CmdletBinding(
    SupportsShouldProcess=$true,
    ConfirmImpact="Low",
  HelpURI='http://dfch.biz/PS/System/Utilities/Export-Credential/'
    )]
Param(
  [Parameter(Mandatory = $true, ValueFromPipeline = $True, Position = 0)]
  [string] $Path
  ,
  [Parameter(Mandatory = $false, Position = 1)]
  [string] $KeyPhrase = [NullString]::Value
  )
 
[Boolean] $fReturn = $false;
$OutputParameter = $null;
try {
 
  # Parameter validation
  # N/A
  if($PSCmdlet.ShouldProcess($Path)) {
    $Credential = Import-CliXml $Path;
    if($KeyPhrase) {
      $KeyPhrase = $KeyPhrase.PadRight(32, '0').Substring(0, 32);
      $Enc = [System.Text.Encoding]::UTF8;
      $k = $Enc.GetBytes($KeyPhrase);
       
      $Credential.Password = $Credential.Password | ConvertTo-SecureString -Key $k;
      $Credential = New-Object System.Management.Automation.PSCredential(
        $Credential.Username, $Credential.Password);
    } else {
      $Credential = Import-CliXml $Path;
    } # if
    $fReturn = $true;
    $OutputParameter = $Credential;
  } # if
 
} # try
catch {
  # ...
} # catch
finally {
  # ...
} # finally
return $OutputParameter;
 
} # Import-Credential

and reverse:

function Export-Credential{
  [CmdletBinding(
  SupportsShouldProcess=$true,
  onfirmImpact="Low",
  HelpURI='http://dfch.biz/PS/System/Utilities/Export-Credential/'
  )]
Param(
  [Parameter(Mandatory = $true, Position = 0)]
  [string] $Path
  ,
  [Parameter(Mandatory = $true, ValueFromPipeline = $True, Position = 1)]
  [Alias('Credential')]
  [PSCredential] $InputObject
  ,
  [Parameter(Mandatory = $false, Position = 2)]
  [string] $KeyPhrase = [NullString]::Value
  )
 
[Boolean] $fReturn = $false;
$OutputParameter = $null;
try {
 
  # Parameter validation
  # N/A
  if($KeyPhrase) {
    Log-Debug $fn ("Creating KeyPattern from Keyphrase ...");
    $KeyPhrase = $KeyPhrase.PadRight(32, '0').Substring(0, 32);
    $Enc = [System.Text.Encoding]::UTF8;
    $k = $Enc.GetBytes($KeyPhrase);
     
    Log-Debug $fn ("Encrypting password  ...");
    $Cred = Select-Object -Property '*' -InputObject $InputObject;
    $Cred.Password = ConvertFrom-SecureString -SecureString $Cred.Password -Key $k;
  } else {
    $Cred = $InputObject;
  } # if
  if($PSCmdlet.ShouldProcess( ("Cred.Username '{0}' to '{1}'" -f $Cred.Username, $Path) )) {
    Log-Debug $fn ("Saving PSCredential ...");
    $OutputParameter = Export-CliXml -Path $Path -InputObject $Cred -WhatIf:$false -Confirm:$false;
    $fReturn = $true;
  } # if
   
} # try
catch {
  # ...
} # catch
finally {
  # ...
} # finally
return $OutputParameter;
Ronald Rink d-fens GmbH
0 Kudos
Spas_Kaloferov
Enthusiast
Enthusiast
‎07-14-2014 06:15 AM

Here is some more guidance that might help

Blog post "Using CredSSP with the vCO PowerShell Plugin"

Best Regards / Поздрави Spas Kaloferov
0 Kudos