VMware Cloud Community
richardjamesloc
Contributor
Contributor
Jump to solution

vCO PowerShell plug-in access is denied

Hi,

Can anyone please help with an issue I'm having with vCO and the PowerShell plug-in?  I have successfully installed the PowerShell plug-in for vCO and added/verified a PS host using WinRM/HTTPS/Kerberos, configured with "Session per User".  (I have also tried "Shared Session".)

I can run basic PS scripts on this host from a vCO workflow, such as "Write-Output ...", "Get-ChildItem ...", etc and it outputs the results to the workflow log.  However, if I try to run anything more advanced such as PowerCLI or external commands such as "dnscmd" to create a Host A record, it gives error "Command failed:  ERROR_ACCESS_DENIED     5    0x5".  I have run "whoami" from within a script invoked by the vCO PS plugin and it shows the correct user which has permission to run the commands.

I've run the command locally on the PS host using the same user account and it completes successfully.

Thanks, Richard

Reply
0 Kudos
1 Solution

Accepted Solutions
JackBS
Enthusiast
Enthusiast
Jump to solution

I was able to get this working this way.

We are using vCO appliance 5.1, so I have a windows power shell host machine and winrm service was enabled. I did setup kerberos authentication. Trying to execute powershell script which is executing dnscmd. So this script was executing fine when we run manually, but from vCO failing with access denied.

I did some changes in my powershell script which helped me to get through this.

~ Enabled CredSSP in powershell host winrm service

~ Within my powershell script created a new session to the same localhost

   $session = New-PSSession  -Credential $credential -Authentication Credssp -ComputerName localhost

   Invoke-Command -Session $session -ScriptBlock {  #Your dnscmd automation }

~ Its like vCO calling a powershell script in my powershell host and within the script I am creating session to the same machine and executing my dnscmd commands.

~ With this I didn't get any access denied exceptions. Was able to add/remove DNS records.

Probably there could be different ways to do this. But this helped me.

View solution in original post

Reply
0 Kudos
16 Replies
OscarDavey
Hot Shot
Hot Shot
Jump to solution

User got no permission to do this power script , make sure you add the right permission to the user  and try again .

Let me know if you need more help

Best regards

Your Oscar

Reply
0 Kudos
abhilashhb
VMware Employee
VMware Employee
Jump to solution

Are you using the command

C:\>dnscmd . /RecordDelete 1.1.10.in-addr.arpa. 5 PTR??


Try this command


C:\>dnscmd 10.0.0.1 /RecordDelete 1.1.10.in-addr.arpa. 5 PTR


After dnscmd add the IP address of your host. It should work.


If you found my answer correct/helpful please mark the answer appropriately.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

Reply
0 Kudos
richardjamesloc
Contributor
Contributor
Jump to solution

Hi Abhiliash and Oscar,

I don't think it is the command or the permissions for the user as I have run the full command "dnscmd <dnsserver> /recordadd <zone> <hostname> A <ipaddress>" as the same user directly on the server from a PowerShell prompt.  It successfully creates the A record so the user has permissions to the DNS zone and to run the command.  The syntax of the command is also correct.  I suspect it could be related to the way the user credentials are passed via Kerberos through the PowerShell plugin as I had issues running "Connect-VIServer" using PowerCLI through the PS plugin.  It hangs when connecting.  The credentials are passed well enough to run local commands on the PowerShell host, but to run anything that requires elevated permissions seems to fail.

Any ideas?

Thanks, Richard

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee
Jump to solution

As far as I know there are some differences regarding permissions when executing commands from remote machine.

PowerShell plugin is using WinRM to communicate with PowerShell host what this means is that is making remote connection to the PowerShell host.

You can try executing the same powershell script from remote machine outside vCO see (Running Remote Commands).

You can also check also Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or l... microsoft thread describing similar error when invoking dnscmd

JackBS
Enthusiast
Enthusiast
Jump to solution

Not sure what you meant permission issue? You mean windows file permissions you are talking about?

I have the same exact problem. User who is executing the script is a domain admin user and he has all the permissions. Manually we can run the scripts using the same user.

Appreciate for inputs in case any one have solved this problem

Reply
0 Kudos
mcfadyenj
Hot Shot
Hot Shot
Jump to solution

note if you are running this on vista or later, or based on the fact you are referring to DNSCMD then 2008 or later will all need to use elevation to execute the commands.

windows UAC on vista / 2008 or later OS will all run in low privilege sessions even if the account you specify is an administrative account.

The login process has been changed significantly on these operating systems. I would highly recommend Mark Russinovich's guide to UAC to explain what is happening here.

But the short version is this.

When logging in as an admin account on a UAC enabled system. You actually get two authentication tokens.

1) admin token

2) filtered token

the idea is to reduce rights for admin users so they don't accidentally run malicious content on a server. Therefore any time you attempt to do anything it is run in the filtered token context this simply means an account which has less or equal privilege to a standard user.

You can easily flick between the tokens using "right click runas admin".

Now obviously this is not so easy on a programmatic call. There are a couple of ways to achieve this. The simplest of which is to download a 3rd part tool called elevate.exe.

then run

elevate.exe dnscmd <blah blah>

the other ways are somewhat more complicated particularly in light of the fact WinRM is involved.

richardjamesloc
Contributor
Contributor
Jump to solution

Thanks mcfadyenj.  I have tried on the PS host server with UAC disabled, but it still fails.  I will try with this third party tool to see if it works.

Kind regards, Richard

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee
Jump to solution

it might be connected to multi hop issues.

http://www.ravichaganti.com/blog/?p=1230

Reply
0 Kudos
richardjamesloc
Contributor
Contributor
Jump to solution

Thanks igaydajiev.  That could well be the issue.  Unfortunately I don't think CredSSP can be enabled on the vCO appliance, unless there is another way to do this.

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee
Jump to solution

Unfortunately PowerShell plugin for vCO does not support CredSSP authentication.

One possible workarounds that I found on the net was to start new powershell process (using psexec) and perform the operations from there.

http://stackoverflow.com/questions/15242248/double-hop-access-to-copy-files-without-credssp

Also I found a couple of references stating that kerberos delegation could be used to resolve the double hop issue but didn't had chance to try it out.

Reply
0 Kudos
richardjamesloc
Contributor
Contributor
Jump to solution

Thanks igaydajiev.

Reply
0 Kudos
JackBS
Enthusiast
Enthusiast
Jump to solution

I was able to get this working this way.

We are using vCO appliance 5.1, so I have a windows power shell host machine and winrm service was enabled. I did setup kerberos authentication. Trying to execute powershell script which is executing dnscmd. So this script was executing fine when we run manually, but from vCO failing with access denied.

I did some changes in my powershell script which helped me to get through this.

~ Enabled CredSSP in powershell host winrm service

~ Within my powershell script created a new session to the same localhost

   $session = New-PSSession  -Credential $credential -Authentication Credssp -ComputerName localhost

   Invoke-Command -Session $session -ScriptBlock {  #Your dnscmd automation }

~ Its like vCO calling a powershell script in my powershell host and within the script I am creating session to the same machine and executing my dnscmd commands.

~ With this I didn't get any access denied exceptions. Was able to add/remove DNS records.

Probably there could be different ways to do this. But this helped me.

Reply
0 Kudos
richardjamesloc
Contributor
Contributor
Jump to solution

Great, thanks Jack.  I will try this in my workflow - that sounds exactly like our issue.

Kind regards, Richard

Reply
0 Kudos
pierrelxlab
VMware Employee
VMware Employee
Jump to solution

Hello JackBS,

How do you set the $credential variable from VCO ?

Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee
Jump to solution

Hi ,
you can find more info and examples ("Use ConvertTo-SecureString in the PowerShell code" chapter) here

Using CredSSP with the vCO PowerShell Plugin

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

Also other posts that might interest you:

How to add PowerShell hosts from multiple domains with Kerberos authentication to the same vRO

http://kaloferov.com/blog/how-to-add-powershell-hosts-from-multiple-domains-with-kerberos-authentica...

Adding vCO Powershell Host with account other than the default domain administrator account

http://kaloferov.com/blog/adding-vco-powershell-host-with-account-other-than-the-default-domain-admi...

BR,

Spas Kaloferov

Reply
0 Kudos
pierrelxlab
VMware Employee
VMware Employee
Jump to solution

Nice Smiley Wink

thank you!

Reply
0 Kudos