Greetings,
I'm trying out the new PowerCLI 6.5 release and have so far had 0 luck getting it to even try and connect to our vCenter 6.0u2 environment.
The only information I've been able to gather so far is the following error message:
VERBOSE: Attempting to connect using SSPI
VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.
VERBOSE: Connect using SSPI was unsuccessful
VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.
Even after passing the vCenter Administrator username and pasword in domain/username format, I'm left with the error message:
VERBOSE: Could not establish secure channel for SSL/TLS with authority 'vcenter.domain.com'.
The vCenter server has a cert signed by our Root CA that is trusted, and I've also gone so far as to import the vCenter cert manually and trusted it, but have had no further luck.
I am aware of the known issue mentioned in the 6.5R1 release notes regarding vCenter not being able to authenticate using Kerberos (VMware PowerCLI Release Notes), however that doesn't appear to be the issue here since I'm using the local administrator account.
I've seen 0 information on Google regarding this issue, and IRC has been of 0 help.
What's going on here!??!
I suspect a certificate issue.
Can you try and set the following
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
and then try the Connect-VIServer again?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I have the same problem when using command "connect-hvserver" even after setting InvalidCertificateAction to Ignore , below is the prompt:
PowerCLI C:\> Connect-HVServer -server 192.168.10.166
Connect-HVServer : Could not establish secure channel for SSL/TLS with authority '192.168.10.166'.
At line:1 char:1
+ Connect-HVServer -server 192.168.10.166
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-HVServer], Exception
+ FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonView.Commands.Cmdlets.ConnectHVServer
But It's ok when using command "connect-VIServer"
Just to make sure, the Connect-HVServer is targetting a Horizon View Connection server, not a vCenter?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hello Luc
I was trying to connect CB server using Connect-HVServer -Server ServerName -user USERNAME -password PASSWORD -domain DOMAIN
But I am receiving below error message when trying from my account ,then I created new AD account which is just member for domain user and directly added it to view admin > Administrator role (Logging in to Horizon View server fails to authenticate the user (2148374) | VMware KB) But still I see same error. Any alternate for this issue ?
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
Id : VMware.Hv.UserOrGroupId
At line:1 char:1
+ Connect-HVServer -Server XXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-HVServer], Exception
+ FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonView.Commands.Cmdlets.ConnectHVServer
Thanks in Advance.
It looks as if the connection server can't find that new account.
Are you sure it is propagated to all your DCs?
Did you assign the correct role to the new account?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes Sir, the account is replicated to all DC's
When I use IP address of connection server I get below error.
Connect-HVServer -Server IPADD -User 'useraccount@domainname' -password 'PASSWORD'
'
Connect-HVServer : There was no endpoint listening at https://connectionserverIP/view-vlsi/sdk that could accept the message. This is often caused by an incorrect address or SOAP action. See
InnerException, if present, for more details.
If I use FQDN I see below error
Connect-HVServer -Server CSFQDN-User 'useraccount@domainname' -password 'PASSWORD' -Dpmain 'domainname'
Connect-HVServer : ExceptionType : VMware.Hv.SecurityError
ErrorMessage : Authentication failed: LogonUser FAILED, error=1326 (The user name or password is incorrect.)
At line:1 char:1
Did you already try passing the user in the format "domain\username"?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes Luc, when I tried Connect-HVServer -Server FQDN its prompted for user name and password where I entered the domain\username and password which fails with error
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
Id : VMware.Hv.UserOrGroupId
At line:1 char:1
Just to make sure, can the following find the new user entry?
Get-ADUser -Filter "SamAccountName -eq 'username'" -Server 'domainname'
Also when you execute it on one of the Connection servers?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I seacrhed AD for the account details
Get-ADUser -Filter {SamAccountName -eq 'USERACCOUNT'} -Server 'DOMAIN'
which displayed the account details in the output
Then I logged in to connection server tried connecting from PLCI command prompt which shows below error
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
Id : VMware.Hv.UserOrGroupId
At line:1 char:1
New AD account which I have added to view admin console | I have given administrator access to the root .Do I need to make any changes there ?
Does the Get-ADUser return anything when you run it on the Connection server?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes Luc, from connection server too Get-ADuser displays the output.
When I run Connect-HVServer -Server FQDN from connection server with my account also I see below error.
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
Id : VMware.Hv.UserOrGroupId
At line:1 char:1
Looks like the Connection server can't query AD for one reason or the other.
Does it fail for all AD accounts?
Perhaps you should open an SR for this issue
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Sure Luc I will open a SR. Thanks for your help
When I remove the account from connection broker I get access denied error .
Connect-HVServer : ExceptionType : VMware.Hv.SecurityError
ErrorMessage : Access Denied
When I add and retry I get user or group not found error
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
That seems to confirm that there is an issue between the Connection Server and AD.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Pan. Have you had any progress on fixing this? I am seeing an identical issue with several accounts that have full admin rights in the view console and on the servers themselves. AD connection seems to work fine.
In order to replicate the issue i have started connection server prior to the AD. I hit the same issue. Then I let the AD powered on and restarted the connection server to have it sync with AD right after the bootup. It worked !
LucD seems to be correct. Something to do with the CS and AD sync somehow. Not sure if this is related to your scenario, Maybe the Tech support guys can help.
See if the below link helps.
Logging in to Horizon View server fails to authenticate the user (2148374) | VMware KB
PowerCLI C:\> Connect-HVServer -Server xxxx.xxxx.xx
Connect-HVServer : ExceptionType : VMware.Hv.EntityNotFound
ErrorMessage : Could not find user or group in AD
Id : VMware.Hv.UserOrGroupId
At line:1 char:1
+ Connect-HVServer -Server xxxx.xxxx.xx
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-HVServer], Exception
+ FullyQualifiedErrorId : System.Exception,VMware.VimAutomation.HorizonVie
w.Commands.Cmdlets.ConnectHVServer
This error can be caused by some AD groups with SID history. Here is how you can check for this yourself and resolve the issue:
On the connection server your trying to connect to using connect-hvserver go into the logs directory at:
C:\ProgramData\VMware\VDM\logs
Locate the debug-yyyy-mm-dd-nnnn file that has this line:
Cannot get domain base DN by SID, copy the SID
Open PowerShell and run this command, substituting the sid found:
Get-ADObject -Filter {(SIDHistory -eq "S-1-5-21-nnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnnnn") }
In the DistinguishedName, you will find the AD Group name.
Now, you need to remove the SID History from that AD group.
One way of doing this:
https://itfordummies.net/2015/12/09/remove-sidhistory-powershell/
That should resolve the issue