YELMAHOT
Contributor
Contributor

logon sessions in powercli for vsphere appliance 6.5

Jump to solution

Hello,

I have a small issue in powercli for vspehre 6.5, I have add user to connect with logon windows sessions but :

- in vsphere web client is good ( without introduce the login and password)

- in power cli I must introduce the credentiels.

How i can do to use also the logon credentiels without introduce any login and password in powercli

Best regards.

Tags (1)
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Not sure if I get the question here.

Let me recap as I understood it:

  • in SSO you have defined Active Directory as an Authentication source
  • you gave a role to a specific AD account
  • you can logon to the Web Client without being prompted for a password while you are logged on to AD with that specific AD account
  • With the Connect-VIServer cmdlet you are prompted for credentials when logged on to AD with that specific AD account

Is that a correct interpretation?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
14 Replies
LucD
Leadership
Leadership

Not sure if I get the question here.

Let me recap as I understood it:

  • in SSO you have defined Active Directory as an Authentication source
  • you gave a role to a specific AD account
  • you can logon to the Web Client without being prompted for a password while you are logged on to AD with that specific AD account
  • With the Connect-VIServer cmdlet you are prompted for credentials when logged on to AD with that specific AD account

Is that a correct interpretation?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
YELMAHOT
Contributor
Contributor

Hello,

this  is the correct interpretation

with Connect-VIServer cmdlet i must introduce the ad login but in vsphere web client no

0 Kudos
LucD
Leadership
Leadership

In the SSO Identity sources, is the Active Directory one marked as the default one?

See also Alan's post Back to Basics: Connecting to vCenter or a vSphere Host


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
YELMAHOT
Contributor
Contributor

Yes my Ad domain is the default one

Best regards

0 Kudos
LucD
Leadership
Leadership

Can you add the -Verbose switch on the Connect-VIServer cmdlet?

Perhaps that will give a bit more info.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
YELMAHOT
Contributor
Contributor

This is the output when i add -verbose

PS C:\Users\admin> Connect-VIServer -server vcenter -Verbose

VERBOSE: Attempting to connect using SSPI

VERBOSE: Reversely resolved 'bt1svt09' to 'vcenter.domaine.com'

VERBOSE: SSPI Kerberos: Acquired credentials for user 'PROD\user1'

VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vcenter.domaine.com'. Error

code: 0x80090303

VERBOSE: Connect using SSPI was unsuccessful

0 Kudos
LucD
Leadership
Leadership

That seems to be the same issue Alan mentioned in Connect-VIServer fails to pass current logged on credentials to VC

The KB mentioned in that thread doesn't mention 6.5, so I'm not sure if the fix will work.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
YELMAHOT
Contributor
Contributor

unfortunately‌ is still  the same issue for me.


0 Kudos
LucD
Leadership
Leadership

You did restart the vpxd service I assume?

Can you check the vpxd log to see if there indeed similar error entries as the ones mentioned in the KB?

Or are there any entries at the moment you try the Connect-VIServer?

Could perhaps also be useful to do a Connect-VIServer with the Verbose switch and then enter the credentials.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
YELMAHOT
Contributor
Contributor

Hello,

As you said, the KB that you send me it speaks about the vshpere 5.5 and 6.

There is a difference between this  the two verions and the vsphere 6.5 : I explain :

    --- the  "passwd: compat ato" in  /etc/nsswitch.conf  does not exist in vsphere the 6.5 --> there is   passwd: files ato

the other point when i prompt the ad cred in the connect-viserver -verbose, I have the following informations :

VERBOSE: SSPI NTLM: Acquired credentials for user 'my add user'

VERBOSE: SSPI NTLM: Successful call to InitializeSecurityContext for target 'my add user'

VERBOSE: SSPI NTLM: Acquired credentials for user 'my add user'

VERBOSE: SSPI NTLM: Successful call to InitializeSecurityContext for target 'my add user'

VERBOSE: Connected successfully using SSPI

Best regards.

0 Kudos
LucD
Leadership
Leadership

I'm afraid I don't have any further suggestions here.

Can you open a SR for this (PowerCLI is supported, if they claim otherwise, let us know)?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
YELMAHOT
Contributor
Contributor

Hi LucD,

I have some additional information,

As I can remark, My vcenter does not know my default identity source. wich is my domain.

In vsphere web  Client when I prompt only the user and password the connection fails, I must add the domaine\login for the connection.

DO u have any idea about this ?

Tks

Best regards.

0 Kudos
LucD
Leadership
Leadership

That is normally the case when the AD Domain is not the default authentication domain afaik.

But you already replied that the AD domain is the default one

Sorry, no idea why this happens in that case.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
aaronwsmith
Enthusiast
Enthusiast

We just succeeded in getting SSPI to work such that PowerCLI 6.5 against vCenter 6.5 (in our case with an external PSC) to pass-through the Kerberos credentials.

1. If PSC is external, ensure it's joined to AD -- Join the vCenter Server Appliance to an Active Directory Domain​.  Reboot the PSC appliance.

2. For the vCenter Appliance, you must also join it to AD via the CLI (Only if PSC is External) -- The option to join vCenter Server Appliance 6.x to an Active Directory domain is unavailable in the ...

3. If the domain you're joining differs from the FQDN of the vCenter, you'll need to create a matching Service Principal Name (SPN) for the vCenter's Computer Account.  Otherwise SSPI will fail to create a security context to perform the login to the machine account to pass-through your credentials.

In our case, #3 was the missing piece.  Our vCenter was in a separate DNS domain (xxx.umn.edu) from AD (yyy.umn.edu.)  By default 2 SPNs are created under the Computer Account in AD (at least in our case):

<vCenter-Hostname>

<vCenter-Hostname>.<yyy.umn.edu -- The AD Domain>

So for us, a 3rd SPN was needed:

<vCenter-Hostname>.<xxx.umn.edu -- Our Separate DNS Domain>

Easiest to add the missing SPN from the command-line on the Domain Controller (or any Windows machine with the AD Tools installed/enabled):

setspn -A "HOST/<vCenter-Hostname>.<domain-name>" <vCenter-HostName>


Example: setspn -A "HOST/myvCenter.xxx.umn.edu" myvCenter

Then list the SPNs associated with the Computer Account to confirm:

setspn -l <AD-Domain>\<vCenter-Hostname>

Example: setspn -l yyy.umn.edu\myvCenter

4. Reboot the vCenter Appliance.  This will ensure there is sufficient time for the AD Domain Controllers to replicate the new Computer Account + it's custom SPN addition.

Hope this helps!