Solved: Passing current credentials (SSPI)

goliska · ‎10-06-2016

I wonder how PowerCLI does to pass my current AD-credentials when connecting to vcenter or invoking scripts in VM's?

Im creating a custom module, wrapping some of those commands,

Its not CredSSP, we've only allowed one other server to recieve SSP, and i guess communicating with a VM doesnt actually involve sending a PScredential-object over the network, so Set-CredSSP shouldn't be needed

LucD · ‎10-08-2016

I assume the GuestAuthManager methods might be involved for authenticating in the guest OS.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎10-06-2016

Not exactly sure what the question is.
Several cmdlets do actually use a PSCredential object to pass this information (Connect-VIServer, Invoke-VMScript...)

When you are "talking" with the guest OS on a VM, the Invoke-VMScript cmdlet uses the VMware Tools to communicate with the guest OS.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

goliska · ‎10-07-2016

Yes they do, I just wonder how it gets my credential without me getting a Credential-prompt.

If i want to create a wrapping function like so;

function Install-SomeAgentsonVM {

param ( [pscredential]$credentials )

copy-vmguestfile -source $src -destination $dst -LocaltoGuest -VM $vm -Credential $credentials

invoke-vmscript -vm $vm -scripttext "$dst\setup.exe /q" -credential $credentials

...

}

it would be neat if the parent function "Install-SomeAgentsonVM" behaved the same way, that is, if no credential-parameter is set, fetch the current user's credential-object

Thanks, Joel.

LucD · ‎10-07-2016

Ok, I see what you mean.

Afaik there is no documented method to retrieve the current user as a PSCredential object.
That apparently is done for security measure.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

goliska · ‎10-07-2016

So, the way its done in PowerCLI-functions is by managed code like C# then i suppose?

LucD · ‎10-08-2016

I assume the GuestAuthManager methods might be involved for authenticating in the guest OS.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

goliska · ‎10-11-2016

Actually, it was dead-simple,

The parameter GuestCredential is allowed to be empty when passing it to Invoke-VMScript, I was wrongly assuming it had to have a value..

function Test-VMCredentials{

[CmdletBinding()]

param(

[Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)]

[VMware.VimAutomation.ViCore.Types.V1.Inventory.VirtualMachine]

$VM,

[Parameter(Mandatory=$false,Position=1)]

[PSCredential]

$Credentials

)

$output = Invoke-VMScript -ScriptText "dir c:\" -VM $VM -GuestCredential $Credentials -ScriptType Bat

}

If a credential is supplied (for workgroup-connected servers etc.) that would be used. if its not supplied (to the Test-VMScript-function), I won't get an error from Invoke-VMScript but the cmdlet will instead switch to SSPI since $Credentials is empty.

LucD · ‎10-11-2016

Didn't realise that either, thanks for sharing that.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Passing current credentials (SSPI)