Connect-VIServer and Single Sign-on

Flapoly · ‎07-29-2008

Hi all,

As part of update2 release note there is this section

Windows Single Sign-on Support

You can now automatically authenticate to VirtualCenter using your current Windows domain login credentials on the local workstation, as long as the credentials are valid on the VirtualCenter server. This capability also supports logging in to Windows using Certificates and Smartcards. It can be used with the VI Client or the VI Remote CLI to ensure that scripts written using the VI Toolkits can take advantage of the Windows credentials of your current session to automatically connect to VirtualCenter.

So I have expected to be able to use VIPowerShell (now named VIToolkit) without providing credential during the Connect-Viserver... But this does not works (I use the upd2 VC & upd2 VIPSToolkit)

Does some-one has been able use the Connect-VIServer in real sigle sign-on ?

LucD · ‎07-29-2008

No it doesn't seem to work for me neither.

The cmdlet details state "One of the User/Password and Credential parameters must be provided...".

Btw did you notice in example 2 of the Connect-VIServer cmdlet that a cmdlet called New-VICredentialStoreItem is mentioned ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Flapoly · ‎07-29-2008

Can not get this New-VICredentialStoreItem working "Cmdlet not recognized"

Have you been able to get the single sign-on working at least with the VI-client FAT ?. I haven't

LucD · ‎07-29-2008

I haven't installed Update 2 yet, with Update 1 the VI Client single-sign on worked.

But you had to add "-passthroughAuth -s <VC-server>" in the shortcut.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Flapoly · ‎07-29-2008

Was not aware of this parameter. Can confirm it works well also with Upd2

Now we have to try to get similar with VIPSToolkit....

halr9000 · ‎07-29-2008

Can not get this New-VICredentialStoreItem working "Cmdlet not recognized"

To my knowledge, this cmdlet did not make the cut.

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000

LucD · ‎07-29-2008

If you open the DLLs with Reflector you see it though

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

halr9000 · ‎07-29-2008

Use it at your own risk.

http://en.wikiquote.org/wiki/Dante%27s_Inferno

Lasciate Ogni Speranza Voi Ch'Entrate

o Translation: Abandon all hope, ye who enter here.

o Notes: Inscription on the gates to the Hell.

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000

admin · ‎07-29-2008

Hi all,

In order Single-Sign-On feature to work there are 2 things you need to assure:

1. The user that you will use to login to VC need to be valid user for the machine. For instance you can do that by adding him to Administrators group on the machine where VC runs

2. The Administrators group on its turn need to be valid group for VC login. By default the Administrators group is valid group, but if you have added the user to a different group you should give to that group permissions in VC using VI Client.

Hope that helps.

Regards,

Georgi Rusev

LucD · ‎07-29-2008

Georgi, that is probably correct but most of us log on from a machine that is part of an Active Directory domain.

So the log on user is part of an AD group and that group has been given permissions on the VC.

In fact, in the beta it worked but in v1 it doesn't work anymore; same user, same client-PC.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

admin · ‎07-29-2008

Is that only against VC 2.5 Update 2 or are you trying it against a server that used to work?

LucD · ‎07-29-2008

Same VC, v2.5 update 1, only difference is the VI Toolkit.

With the last beta build (81531) it used to work.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

RobMokkink · ‎07-29-2008

I use scheduled tasks with a service account on the VC server and single sign on works perfectly. The service account has specific rights within VC to be able do do certain tasks.

The default administrators group is removed in our VC build.

LucD · ‎07-29-2008

Update: after a stop/start of the shell it works!

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

RobMokkink · ‎07-29-2008

It's Windows allways reboot after an application instalation :smileygrin:

Flapoly · ‎07-29-2008

Sorry i'm a little bit lost :-(.....

Does this means you have you been able to make a Single Sign-on to VC with PowerShell script ?

LucD · ‎07-29-2008

Yes, in the end it worked for me.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Flapoly · ‎07-29-2008

Good news

Can you summarize the steps you have performed to make it working ?

Also can you provide the PS lines you have used ?

Thks a lot

LucD · ‎07-30-2008

I stopped/started the Powershell GUI I use on my workstation.

From there on it worked. See screenshot.

The only issue (which was already reported) is that the $$DefaultVIServer variable is not reset after a Disconnect-VIServer.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Flapoly · ‎07-30-2008

Still Prompt me for the user/password

All

Connect-VIServer and Single Sign-on