VMware Cloud Community
CarlyWarly
Enthusiast
Enthusiast
Jump to solution

stop or disable connect-viserver asking for credentials

I have a script that uses integrated security, as in the user account that creates the pssession. It then connects via powercli to a list of vCenters.  Is there a way for connect-viserver command to fail, if user account does not have access and not prompt for credentials?

Or is there a way of validating the user account before connecting? some like "test-viaccess"?

I would prefer that the script throw an error, that I can manage, rather than hang 🙂

many thanks,

Carl

 

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

From similar questions, around the Get-Credential cmdlet, it looks as if you start your PowerShell session with the parameter -NonInteractive you don't get a prompt but an exception.
Since it is not always possible to start a new PS session with that NonIntercative parameter, you could run a short snippet and check the returned string.
The snippet uses a Try-Catch construct, with a specific case for the authentication exception.

The following seems to work for me.
When the user can not connect due to issues in WIA, the snippet returns "User can not connect via WIA"

 

$code = @'
  Try {
    Connect-VIServer -Server $vcsaName -ErrorAction Stop | Out-Null
    Write-Host "All is well"
  }
  Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
    Write-Host "User can not connect via WIA"
  }
  Catch {
    Write-Host "Some other error"
  }
'@

$vcsaName = '<Your VCSA FQDN>'

powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

8 Replies
LucD
Leadership
Leadership
Jump to solution

Add -ErrorAction Stop to your Connect-VIServer cmdlet.
Then place it in a Try-Catch construct, that way you will "catch" the terminating exception, and the script can stop (exit) or continue (comment out the exit).

try {
   Connect-VIServer -Server $vcsa -Credential $cred -ErrorAction Stop
}
catch {
   Write-Error "The connection failed"
   Exit
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
CarlyWarly
Enthusiast
Enthusiast
Jump to solution

Many thanks LucD and for the quick reply.

I think the problem is, it doesn't fail, it hangs prompting for credentials  😞

try {
   Connect-VIServer -Server $vcsa -ErrorAction Stop
} catch {
   $errMessages += "Failed to connect to $vcsa"
   continue
}

 

I am running the above as I can't ask for username/password to create $cred, I need to use the integrated security of the pssession.

Carl

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

That could be a TLS or certificate issue.
What do you see when you add a Verbose switch to the Connect-VIServer?

Does it mention not being able to establish a secure channel?
Try setting InvalidCertificateAction to Ignore with the Set-PowerCLICOnfiguration cmdlet.
Or better yet, make sure the certificate is installed and added to trusted root certificates. 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
CarlyWarly
Enthusiast
Enthusiast
Jump to solution

Again, thank for getting back 🙂

I have the script creating a transcript and -verbose doesn't show anything, as the command/script unfortunately hangs prompting for credentials 😞

Certificate are valid and ignore certificates is set.  I can connect when using my credentials when creating the pssession but it hangs when using the "script" account.

It's how do I stop connect-viserver prompting for credentials, if the user account doesn't have the integrated/passthru rights to connect.

Carl

 

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

So are you in fact asking how to detect if the current user falls under Integrated WIndows Authentication (IWA)?
Before trying to connect to the vCenter.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
CarlyWarly
Enthusiast
Enthusiast
Jump to solution

Yes 🙂 

As you say, can I try before connecting or have connect-viserver fail and not prompt for creds 🙂

Carl

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

From similar questions, around the Get-Credential cmdlet, it looks as if you start your PowerShell session with the parameter -NonInteractive you don't get a prompt but an exception.
Since it is not always possible to start a new PS session with that NonIntercative parameter, you could run a short snippet and check the returned string.
The snippet uses a Try-Catch construct, with a specific case for the authentication exception.

The following seems to work for me.
When the user can not connect due to issues in WIA, the snippet returns "User can not connect via WIA"

 

$code = @'
  Try {
    Connect-VIServer -Server $vcsaName -ErrorAction Stop | Out-Null
    Write-Host "All is well"
  }
  Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
    Write-Host "User can not connect via WIA"
  }
  Catch {
    Write-Host "Some other error"
  }
'@

$vcsaName = '<Your VCSA FQDN>'

powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

CarlyWarly
Enthusiast
Enthusiast
Jump to solution

I changed it ever so slightly, to make it easier to run within my script :

$code = @'
  Try {
    Connect-VIServer -Server $vcsaName -ErrorAction Stop | out-null
    exit 0
  }
  Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
    exit 1
  }
  Catch {
    exit 2
  }
'@

$vcsaName = '<Your VCSA FQDN>'
powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"
if($LASTEXITCODE -ne 0) {
    # Failed to connect
} else {
    # All good
    # do things...
}