VMware Cloud Community
cgillwh
Contributor
Contributor

Unable to get new PowerCLI 6.5 R1 to even try and connect to our vCenter

Greetings,

I'm trying out the new PowerCLI 6.5 release and have so far had 0 luck getting it to even try and connect to our vCenter 6.0u2 environment.

The only information I've been able to gather so far is the following error message:

VERBOSE: Attempting to connect using SSPI

VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.

VERBOSE: Connect using SSPI was unsuccessful

VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.

Even after passing the vCenter Administrator username and pasword in domain/username format, I'm left with the error message:

VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.

The vCenter server has a cert signed by our Root CA that is trusted, and I've also gone so far as to import the vCenter cert manually and trusted it, but have had no further luck.

I am aware of the known issue mentioned in the 6.5R1 release notes regarding vCenter not being able to authenticate using Kerberos (VMware PowerCLI Release Notes), however that doesn't appear to be the issue here since I'm using the local administrator account.

I've seen 0 information on Google regarding this issue, and IRC has been of 0 help.

What's going on here!??!

Tags (2)
Reply
0 Kudos
18 Replies
LucD
Leadership
Leadership

I suspect a certificate issue.

Can you try and set the following

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore

and then try the Connect-VIServer again?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
inforhunter
Enthusiast
Enthusiast

I have the same problem when using command "connect-hvserver" even after  setting InvalidCertificateAction to Ignore , below is the prompt:

PowerCLI C:\> Connect-HVServer -server 192.168.10.166

Connect-HVServer : Could not establish secure channel for SSL/TLS with authority '192.168.10.166'.

At line:1 char:1

+ Connect-HVServer -server 192.168.10.166

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-HVServer], Exception

    + FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonView.Commands.Cmdlets.ConnectHVServer

But It's ok when using command "connect-VIServer"

Reply
0 Kudos
LucD
Leadership
Leadership

Just to make sure, the Connect-HVServer is targetting a Horizon View Connection server, not a vCenter?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

Hello Luc

I was trying to connect CB server using Connect-HVServer -Server ServerName -user USERNAME -password PASSWORD -domain DOMAIN

But I am receiving below error message when trying from my account ,then I created new AD account which is just member  for domain user and directly added it to view admin > Administrator role (Logging in to Horizon View server fails to authenticate the user (2148374) | VMware KB) But still I see same error. Any alternate for this issue ?

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Id : VMware.Hv.UserOrGroupId

At line:1 char:1

+ Connect-HVServer -Server XXXXXXXXXXXXXXXXXXXXXXXXXXXX

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-HVServer], Exception

    + FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonView.Commands.Cmdlets.ConnectHVServer

Thanks in Advance.

Reply
0 Kudos
LucD
Leadership
Leadership

It looks as if the connection server can't find that new account.

Are you sure it is propagated to all your DCs?

Did you assign the correct role to the new account?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

Yes Sir, the account is replicated to all DC's

When I use IP address of connection server I get below error.

Connect-HVServer -Server IPADD -User 'useraccount@domainname' -password  'PASSWORD'

'

Connect-HVServer : There was no endpoint listening at https://connectionserverIP/view-vlsi/sdk that could accept the message. This is often caused by an incorrect address or SOAP action. See

InnerException, if present, for more details.

If I use FQDN I see below error

Connect-HVServer -Server CSFQDN-User 'useraccount@domainname' -password  'PASSWORD' -Dpmain  'domainname'

Connect-HVServer : ExceptionType : VMware.Hv.SecurityError

ErrorMessage : Authentication failed: LogonUser FAILED, error=1326 (The user name or password is incorrect.)

At line:1 char:1

Reply
0 Kudos
LucD
Leadership
Leadership

Did you already try passing the user in the format "domain\username"?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

Yes Luc, when I tried Connect-HVServer -Server FQDN  its prompted for user name and password where I entered the domain\username and password which fails with error

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Id : VMware.Hv.UserOrGroupId

At line:1 char:1

Reply
0 Kudos
LucD
Leadership
Leadership

Just to make sure, can the following find the new user entry?

Get-ADUser -Filter "SamAccountName -eq 'username'" -Server 'domainname'

Also when you execute it on one of the Connection servers?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

I seacrhed AD for the account details

Get-ADUser -Filter {SamAccountName -eq 'USERACCOUNT'} -Server 'DOMAIN'

which displayed the account details in the output

Then I logged in to connection server tried connecting from PLCI command prompt which shows below error

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Id : VMware.Hv.UserOrGroupId

At line:1 char:1

New AD account which I have added to view admin console | I have given administrator access to the root .Do I need to make any changes there ?

Reply
0 Kudos
LucD
Leadership
Leadership

Does the Get-ADUser return anything when you run it on the Connection server?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

Yes Luc, from connection server too Get-ADuser displays the output.

When I run Connect-HVServer -Server FQDN  from connection server with my account also I see below error.

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Id : VMware.Hv.UserOrGroupId

At line:1 char:1

Reply
0 Kudos
LucD
Leadership
Leadership

Looks like the Connection server can't query AD for one reason or the other.
Does it fail for all AD accounts?

Perhaps you should open an SR for this issue


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
panhvr
Contributor
Contributor

Sure Luc I will open a SR. Thanks for your help

When I remove the account from connection broker I get access denied error .

Connect-HVServer : ExceptionType : VMware.Hv.SecurityError

ErrorMessage : Access Denied

When I add and retry I get user or group not found error

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Reply
0 Kudos
LucD
Leadership
Leadership

That seems to confirm that there is an issue between the Connection Server and AD.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
aka01
Contributor
Contributor

Hi Pan. Have you had any progress on fixing this? I am seeing an identical issue with several accounts that have full admin rights in the view console and on the servers themselves. AD connection seems to work fine.

Reply
0 Kudos
krish290785
Enthusiast
Enthusiast

In order to replicate the issue i have started connection server prior to the AD. I hit the same issue. Then I let the AD powered on and restarted the connection server to have it sync with AD right after the bootup. It worked !

LucD seems to be correct. Something to do with the CS and AD sync somehow. Not sure if this is related to your scenario, Maybe the Tech support guys can help.

See if the below link helps.

Logging in to Horizon View server fails to authenticate the user (2148374) | VMware KB

-Bala Krishna Gali If the above info is useful, please mark answer as correct or helpful.
Reply
0 Kudos
Jeff_A
Contributor
Contributor

PowerCLI C:\> Connect-HVServer -Server xxxx.xxxx.xx

Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound

ErrorMessage : Could not find user or group in AD

Id : VMware.Hv.UserOrGroupId

At line:1 char:1

+ Connect-HVServer -Server xxxx.xxxx.xx

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-HVServer], Exception

    + FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonVie

   w.Commands.Cmdlets.ConnectHVServer

This error can be caused by some AD groups with SID history.  Here is how you can check for this yourself and resolve the issue:

On the connection server your trying to connect to using connect-hvserver go into the logs directory at:

C:\ProgramData\VMware\VDM\logs

Locate the debug-yyyy-mm-dd-nnnn file that has this line:

Cannot get domain base DN by SID, copy the SID

Open PowerShell and run this command, substituting the sid found:

Get-ADObject -Filter {(SIDHistory -eq "S-1-5-21-nnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnnnn") }

In the DistinguishedName, you will find the AD Group name. 

Now, you need to remove the SID History from that AD group.

One way of doing this:

https://itfordummies.net/2015/12/09/remove-sidhistory-powershell/

That should resolve the issue

Reply
0 Kudos