VMware Cloud Community
Redhatcc
Enthusiast
Enthusiast
Jump to solution

Connect-VIServer - Without Using Plaintext Password

I currently have a script that connects to our vCenter servers, does a few things, then it's done. My problem is my script (at its current premature stage) uses a clear text password in the PowerShell script. Below is the command I use to connect to our vCenter servers (password/account made up):

Connect-VIServer -Server vCenterServer -User vsphere.local\administrator -Password 'password'

Does anyone know of any way to conceal the password in case someone else opens the PowerShell script? Any suggestions are greatly welcomed!

Reply
0 Kudos
1 Solution

Accepted Solutions
Redhatcc
Enthusiast
Enthusiast
Jump to solution

For post sake, we are using a local password to the vCenters, and lets just call the local account 'root'.

First, I put together this into a script, saved it, and ran it as a Scheduled Task on the server, using the SYSTEM account and with highest privileges:

Get-Module -ListAvailable *vmware* | Import-Module

$rootPass = New-VICredentialStoreItem -Host vCenterA -User root -Password 'password'

After I ran the above command using Scheduled Task under SYSTEM, I could then use the following script to connect to the vCenter, using SYSTEM and Scheduled Task:

Get-Module -ListAvailable *vmware* | Import-Module

$rootPassword = Get-VICredentialStoreItem -Host vCenterA -User root

Connect-VIServer -Server 'vCenterA' -User 'root' -Password $rootPassword.Password

At this point, the script can run as a Scheduled Task as SYSTEM and do not have passwords stored around in any files. Thanks to everyone who helped out :smileygrin: !

View solution in original post

Reply
0 Kudos
8 Replies
LucD
Leadership
Leadership
Jump to solution

You have multiple options to provide credentials in a somewhat secure way to your script.

There is the builtin Credential Store, for which you can create entries with the New-VICredentialStoreItem

But there are many other ways of providing credentials, for example have a look at Adam's article How To Save and Read Sensitive Data with PowerShell


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Redhatcc
Enthusiast
Enthusiast
Jump to solution

So I tried the following to store the credentials as a secret key, and it works like a charm when I run PowerShell as administrator under my own account. However when I run it as Scheduled Task or if I simply right click and run in PowerShell, it fails. Here is the basic code:

I ran this once to create the XML file with the encrypted password string, and this is not part of the mail script.

Get-Credential | Export-Clixml -Path 'C:\Reports\encrypted.xml'

After the password has been stored as an encrypted string, the following extracts that password and uses it to login:

$encryptedPassword = Import-Clixml -Path 'C:\Reports\encrypted.xml'

$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password

Connect-VIServer -Server 'vCenterA' -User 'admin' -Password $encryptedString

Some more information:

When I run it by just clicking on the script, the following error appears inside the window "along" with a prompt for a username and password box:

Method invocation failed because [Deserailized.System.Management.Automation.PSCredential] does not contain a method named 'GetNetworkCredential'

When I run it as a scheduled task, it hangs and never finishes, and I think it is getting hung at the same place as above.

When I run PowerShell ISE as Administrator with my account, the script runs as intended with no issues.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

The key used to encrypt the passwords is linked to the account under which the encryption is done.

The encrypted password can only be decrypted under that same account.

When you run the scheduled tasks under account A, you will also have to create the Credential Store entries under account A.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Redhatcc
Enthusiast
Enthusiast
Jump to solution

So in theory, I could create a script that would create the files, then run it as SYSTEM as a Scheduled Task, and that should enable the SYSTEM account to use those files?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

In theory yes, you would to have to provide the passwords in clear text at least once though.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
a_p_
Leadership
Leadership
Jump to solution

Instead of using a script which - as LucD already mentioned - would require to enter a clear text password, it shoud work to run an interactive powershell session in the System account using e.g. psexec (psexec -s -i powershell.exe), in which you then run the command Get-Credential | Export-Clixml -Path 'C:\Reports\encrypted.xml'.

André

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Note that Export-CliXml to a file is not the same as using the CredentialStore.

If you want to use the CredentialStore you could do

$cred = Get-Credential; New-VICredentialStoreItem -Host hostname.domain -User $cred.UserName -Password $cred.GetNetworkCredential().password


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Redhatcc
Enthusiast
Enthusiast
Jump to solution

For post sake, we are using a local password to the vCenters, and lets just call the local account 'root'.

First, I put together this into a script, saved it, and ran it as a Scheduled Task on the server, using the SYSTEM account and with highest privileges:

Get-Module -ListAvailable *vmware* | Import-Module

$rootPass = New-VICredentialStoreItem -Host vCenterA -User root -Password 'password'

After I ran the above command using Scheduled Task under SYSTEM, I could then use the following script to connect to the vCenter, using SYSTEM and Scheduled Task:

Get-Module -ListAvailable *vmware* | Import-Module

$rootPassword = Get-VICredentialStoreItem -Host vCenterA -User root

Connect-VIServer -Server 'vCenterA' -User 'root' -Password $rootPassword.Password

At this point, the script can run as a Scheduled Task as SYSTEM and do not have passwords stored around in any files. Thanks to everyone who helped out :smileygrin: !

Reply
0 Kudos