Highlighted
Contributor
Contributor

Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance

Hi

I've created a simple script that connect to each of our vCenter Servers and obtains total number of VMs and Hosts and e-mails it to me once a month.  Untill recently we had only vCenter 6 for Windows in our environment, however now we have introduced vCenter 6.5 Appliance in our environment.

There are few lines of code for each vCenter Server in the script, basically all it does is
1. Connects to vCenter Server

2. Obtains total number of VMs managed by the vCenter Server

3. Saves it as a variable

4. Obtains total number of hosts managed by the vCenter Server

5. Saves it as a variable

6. Disconnects from vCenter Server

Above process is repeated for each vCenter Server, at the end the script will e-mail results.  The script is working just fine if we are connecting to vCenter 6.0 for Windows, however when it attempts to connect vCenter 6.5 Appliance it prompts for credentials.  If I enter the same credentials I'm logged on with it executes code for that vCenter Server and goes to the next one.  If next one is vCenter 6.5 Appliance it prompts for credentials again.

vCenter 6 and vCenter 6.5 Appliance are configured the same, using the same default authentication domain which is an AD.

PS Version is 5.1 Build 14409 Revision 1012 and PowerCLI 6.5.4.7155375

Does anybody have any idea why this is happening with vCenter 6.5 Appliance?

0 Kudos
12 Replies
Highlighted
User Moderator
User Moderator

Could you have some CredentialStoreItem entries for the old vCenter and not for the new VCSA?

Check with Get-VICredentialStoreItem.

Another possibility is that you didn't add the authentication domain, for example AD, to your VCSA's SSO.

If you do the Connect-VIServer under an AD account, you need to have AD added as an authenticator domain, and you need to have added your current AD account added as a Pricipal (or a group to which this account belongs).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Thank you for your prompt response

Thank you LukD for prompt response.

I've attached the script as is, as you can see it's pretty simple script and I'm not using any stored credentials.

Interestingly the script is running fine if I manually execute it in installable PowerCLI 6.5.1 build 5377412. I'm not prompted for any credentials, it's using credentials I used to logon to the Server to connect to each VC Server.  However, if I execute the same script on the same Server using PowerShell console then I get prompted for credentials but only when attempting to connect to VCSAs not Windows instances.  Once credentials are supplied it executed commands moves to the next VCSA and prompts for credentials again.

And just to confirm, Yes, both VCSAs and Windows instances are using the same AD domain for authentication and that same domain is default\primary authentication source across all SSOs.

Get-Module -Name VMware* –ListAvailable | Import-Module

# Get VM total for DatacentreA Resources VC6

Connect-VIServer -Server RESVC60DCA.domain.com.au

$TotalVMsDCAres6 = Get-VM

$TotalVMsCountDCAres6 = $TotalVMsDCAres6.count

Write-Host "There are $TotalVMsCountDCAres6 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCAres6 = Get-VMHost

$TotalVMHostsCountDCAres6 = $TotalVMHostsDCAres6.count

Write-Host "There are $TotalVMHostsCountDCAres6 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get totals for DatacentreA Managment VC6

Connect-VIServer -Server MGTVC60DCA.domain.com.au

$TotalVMsDCAmgt6 = Get-VM

$TotalVMsCountDCAmgt6 = $TotalVMsDCAmgt6.count

Write-Host "There are $TotalVMsCountDCAmgt6 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCAmgt6 = Get-VMHost

$TotalVMHostsCountDCAmgt6 = $TotalVMHostsDCAmgt6.count

Write-Host "There are $TotalVMHostsCountDCAmgt6 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get VM total for DatacentreB Resources VC6

Connect-VIServer -Server RESVC60DCB.domain.com.au

$TotalVMsDCBres6 = Get-VM

$TotalVMsCountDCBres6 = $TotalVMsDCBres6.count

Write-Host "There are $TotalVMsCountDCBres6 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCBres6 = Get-VMHost

$TotalVMHostsCountDCBres6 = $TotalVMHostsDCBres6.count

Write-Host "There are $TotalVMHostsCountDCBres6 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get VM total for DatacentreB Management VC6

Connect-VIServer -Server MGTVC60DCB.domain.com.au

$TotalVMsDCBmgt6 = Get-VM

$TotalVMsCountDCBmgt6 = $TotalVMsDCBmgt6.count

Write-Host "There are $TotalVMsCountDCBmgt6 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCBmgt6 = Get-VMHost

$TotalVMHostsCountDCBmgt6 = $TotalVMHostsDCBmgt6.count

Write-Host "There are $TotalVMHostsCountDCBmgt6 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get VM total for DatacentreA Resources VC 6.5

Connect-VIServer -Server RESVC65DCA.domain.com.au

$TotalVMsDCAres65 = Get-VM

$TotalVMsCountDCAres65 = $TotalVMsDCAres65.count

Write-Host "There are $TotalVMsCountDCAres65 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCAres65 = Get-VMHost

$TotalVMHostsCountDCAres65 = $TotalVMHostsDCAres65.count

Write-Host "There are $TotalVMHostsCountDCAres65 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get totals for DatacentreA Managment VC 6.5

Connect-VIServer -Server MGTVC65DCA.domain.com.au

$TotalVMsDCAmgt65 = Get-VM

$TotalVMsCountDCAmgt65 = $TotalVMsDCAmgt65.count

Write-Host "There are $TotalVMsCountDCAmgt65 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCAmgt65 = Get-VMHost

$TotalVMHostsCountDCAmgt65 = $TotalVMHostsDCAmgt65.count

Write-Host "There are $TotalVMHostsCountDCAmgt65 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get VM total for DatacentreB Resources VC 6.5

Connect-VIServer -Server RESVC65DCB.domain.com.au

$TotalVMsDCBres65 = Get-VM

$TotalVMsCountDCBres65 = $TotalVMsDCBres65.count

Write-Host "There are $TotalVMsCountDCBres65 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCBres65 = Get-VMHost

$TotalVMHostsCountDCBres65 = $TotalVMHostsDCBres65.count

Write-Host "There are $TotalVMHostsCountDCBres65 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Get VM total for DatacentreB Management VC 6.5

Connect-VIServer -Server MGTVC65DCB.domain.com.au

$TotalVMsDCBmgt65 = Get-VM

$TotalVMsCountDCBmgt65 = $TotalVMsDCBmgt65.count

Write-Host "There are $TotalVMsCountDCBmgt65 Virtual Machines in $DefaultVIServer"

$TotalVMHostsDCBmgt65 = Get-VMHost

$TotalVMHostsCountDCBmgt65 = $TotalVMHostsDCBmgt65.count

Write-Host "There are $TotalVMHostsCountDCBmgt65 Hosts in $DefaultVIServer"

disconnect-viserver * -Confirm:$false

# Email results to Virtualisation team

$EmailTo = "emailaddress@doman.com.au"

$EmailFrom = "powercli@doman.com.au"

$EmailSubject = "Monthly Report - VM & Host Tally"

$SMTPSRV = "mail.domain.com.au"

send-Mailmessage -To $EmailTo -From $EmailFrom -Subject $EmailSubject -SmtpServer $SMTPSRV -Body "Total Number of VMs per VC

RESVC60DCA = $TotalVMsCountDCAres6

MGTVC60DCA = $TotalVMsCountDCAmgt6

RESVC60DCB = $TotalVMsCountDCBres6

MGTVC60DCB = $TotalVMsCountDCBmgt6

RESVC65DCA = $TotalVMsCountDCAres65

MGTVC65DCA = $TotalVMsCountDCAmgt65

RESVC65DCB = $TotalVMsCountDCBres65

MGTVC65DCB = $TotalVMsCountDCBmgt65`n`n

Total Number of Hosts per VC

RESVC60DCA = $TotalhostsCountDCAres6

MGTVC60DCA = $TotalhostsCountDCAmgt6

RESVC60DCB = $TotalhostsCountDCBres6

MGTVC60DCB = $TotalhostsCountDCBmgt6

RESVC65DCA = $TotalhostsCountDCAres65

MGTVC65DCA = $TotalhostsCountDCAmgt65

RESVC65DCB = $TotalhostsCountDCBres65

MGTVC65DCB = $TotalhostsCountDCBmgt65"

0 Kudos
Highlighted
User Moderator
User Moderator

There have been a couple of threads related to SSPI vs VCSA 6.5 in the last days.

Can you check if any of the replies/questions in there can help?

Connect-VIServer asks the credentials

Connect-VIServer without prompting for user


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Enthusiast
Enthusiast

Assuming you are running this by clicking Powershell, have you tried right clicking > run as administrator then trying the script?

0 Kudos
Highlighted
Contributor
Contributor

Hi LucD

Sorry about delayed response, long story short I was not able to respond earlier.  Smiley Happy

In my inital troubleshooting I came across both of threads you suggested to look at and I've also read the mentioned KB article.

The issue here is that I'm not having authentiation issues when connecting to VCSA 6.5 via PowerCLI or directly via WebClient.  Issue is occuring only when attempting to do so when running script in PowerShell windows or if the script is scheduled as a task in Windows Scheduling Service, which calls PowerShell command prompt and not PowerCLI.

Also, the issue is not present if connecting to vCenter Server for Windows, however that version is 6.0.

In both environments PSC servers are external and SSO is configured with same AD as primary authentication source.

0 Kudos
Highlighted
Contributor
Contributor

Yes, the PowerShell windows is run as Administrator, not that it should matter as it connect just fine to vCenter Server for Windows 6.0 but not to VCSA 6.5.

0 Kudos
Highlighted
Contributor
Contributor

I've run this issues by our Windows gurus and after some further troubleshooting we came across a post by Alan Renouf Connect-VIServer fails to pass current logged on credentials to VC where he explains the issue and points to VMware Knowledge Base KB2050701.

As I'm told, what seems to be the issue is that VCSA itself is not AD domain member, so in order for it to use credentials it has to authenticate with AD.  However, if we added the appliance to the domain that is used as authentication source in SSO then it would be accepting passed-through credentials.

I'll have to do some further testing on this in our UAT environment before I start making any drastic changes to our prod servers.

0 Kudos
Highlighted
User Moderator
User Moderator

Just some remarks/questions.

  • that KB only goes to VCSA 6.0 not VCSA 6.5
  • Alan's post mentions that the VC is in the domain, so there has been a join for the VC
  • did you see the entry in the vpxd log that the KB is referring to
  • does the Verbose switch provide any extra info


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Enthusiast
Enthusiast

Edukate - Did you get anywhere with this? I'm having exactly the same issue here.

0 Kudos
Highlighted
Contributor
Contributor

Ah,

Upgraded from

vCenter Server 6.5.0 build-7801515 to

vCenter Server 6.5.0 build-8024368

and it stopped this behaviour for me.

0 Kudos
Highlighted
Contributor
Contributor

I have found the solution in my case, the VCSA wasn't joined to the domain and my PSC is external.

Common "mistake" it seems, since the option to join the appliance isn't showing in the GUI for the VCSA and one could assume that if the PSC is joined, it's ok, since it contains the SSO.

Please refer to this article in the VMware Knowledge Base to join the VCSA appliance itself to the AD.

After that I could do a connect-VIServer without having to enter my credentials again. Smiley Happy

0 Kudos
Highlighted
Contributor
Contributor

Thanks a lot for your hint, MisterP81!!
We were facing the same scenario (VCSA 6.5 with external PSC joined to AD) and did not see that (for whatever reason) our VCSA wass not updating it's AD info / credentials using LW since 4 months...
Re-joining to AD and rebooting the VCSA helped and scripting is now possible again without creds-prompt.

0 Kudos