Hello,
I have a small issue in powercli for vspehre 6.5, I have add user to connect with logon windows sessions but :
- in vsphere web client is good ( without introduce the login and password)
- in power cli I must introduce the credentiels.
How i can do to use also the logon credentiels without introduce any login and password in powercli
Best regards.
Not sure if I get the question here.
Let me recap as I understood it:
Is that a correct interpretation?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Not sure if I get the question here.
Let me recap as I understood it:
Is that a correct interpretation?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hello,
this is the correct interpretation
with Connect-VIServer cmdlet i must introduce the ad login but in vsphere web client no
In the SSO Identity sources, is the Active Directory one marked as the default one?
See also Alan's post Back to Basics: Connecting to vCenter or a vSphere Host
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes my Ad domain is the default one
Best regards
Can you add the -Verbose switch on the Connect-VIServer cmdlet?
Perhaps that will give a bit more info.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
This is the output when i add -verbose
PS C:\Users\admin> Connect-VIServer -server vcenter -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Reversely resolved 'bt1svt09' to 'vcenter.domaine.com'
VERBOSE: SSPI Kerberos: Acquired credentials for user 'PROD\user1'
VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vcenter.domaine.com'. Error
code: 0x80090303
VERBOSE: Connect using SSPI was unsuccessful
That seems to be the same issue Alan mentioned in Connect-VIServer fails to pass current logged on credentials to VC
The KB mentioned in that thread doesn't mention 6.5, so I'm not sure if the fix will work.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
unfortunately is still the same issue for me.
You did restart the vpxd service I assume?
Can you check the vpxd log to see if there indeed similar error entries as the ones mentioned in the KB?
Or are there any entries at the moment you try the Connect-VIServer?
Could perhaps also be useful to do a Connect-VIServer with the Verbose switch and then enter the credentials.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hello,
As you said, the KB that you send me it speaks about the vshpere 5.5 and 6.
There is a difference between this the two verions and the vsphere 6.5 : I explain :
--- the "passwd: compat ato" in /etc/nsswitch.conf does not exist in vsphere the 6.5 --> there is passwd: files ato
the other point when i prompt the ad cred in the connect-viserver -verbose, I have the following informations :
VERBOSE: SSPI NTLM: Acquired credentials for user 'my add user'
VERBOSE: SSPI NTLM: Successful call to InitializeSecurityContext for target 'my add user'
VERBOSE: SSPI NTLM: Acquired credentials for user 'my add user'
VERBOSE: SSPI NTLM: Successful call to InitializeSecurityContext for target 'my add user'
VERBOSE: Connected successfully using SSPI
Best regards.
I'm afraid I don't have any further suggestions here.
Can you open a SR for this (PowerCLI is supported, if they claim otherwise, let us know)?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
I have some additional information,
As I can remark, My vcenter does not know my default identity source. wich is my domain.
In vsphere web Client when I prompt only the user and password the connection fails, I must add the domaine\login for the connection.
DO u have any idea about this ?
Tks
Best regards.
That is normally the case when the AD Domain is not the default authentication domain afaik.
But you already replied that the AD domain is the default one
Sorry, no idea why this happens in that case.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
We just succeeded in getting SSPI to work such that PowerCLI 6.5 against vCenter 6.5 (in our case with an external PSC) to pass-through the Kerberos credentials.
1. If PSC is external, ensure it's joined to AD -- Join the vCenter Server Appliance to an Active Directory Domain. Reboot the PSC appliance.
2. For the vCenter Appliance, you must also join it to AD via the CLI (Only if PSC is External) -- The option to join vCenter Server Appliance 6.x to an Active Directory domain is unavailable in the ...
3. If the domain you're joining differs from the FQDN of the vCenter, you'll need to create a matching Service Principal Name (SPN) for the vCenter's Computer Account. Otherwise SSPI will fail to create a security context to perform the login to the machine account to pass-through your credentials.
In our case, #3 was the missing piece. Our vCenter was in a separate DNS domain (xxx.umn.edu) from AD (yyy.umn.edu.) By default 2 SPNs are created under the Computer Account in AD (at least in our case):
<vCenter-Hostname>
<vCenter-Hostname>.<yyy.umn.edu -- The AD Domain>
So for us, a 3rd SPN was needed:
<vCenter-Hostname>.<xxx.umn.edu -- Our Separate DNS Domain>
Easiest to add the missing SPN from the command-line on the Domain Controller (or any Windows machine with the AD Tools installed/enabled):
setspn -A "HOST/<vCenter-Hostname>.<domain-name>" <vCenter-HostName>
Example: setspn -A "HOST/myvCenter.xxx.umn.edu" myvCenter
Then list the SPNs associated with the Computer Account to confirm:
setspn -l <AD-Domain>\<vCenter-Hostname>
Example: setspn -l yyy.umn.edu\myvCenter
4. Reboot the vCenter Appliance. This will ensure there is sufficient time for the AD Domain Controllers to replicate the new Computer Account + it's custom SPN addition.
Hope this helps!