mdmcnei
Contributor
Contributor

Remote Plugin Development: SOAP CloneSession() call returns session is not authenticated.

I am trying to develop a remove vCenter Web Client Plugin. I have successfully deployed the plugin and have gotten a valid cloneTicket back from Vcenter for the currently logged in session. I pass that cloneTicket to the remove server where I attempt to make the SOAP client call the SessionManager.CloneSession() function and pass it the cloneTicket in order to get a user session from which I can use the key.

The vCenter server errors with:  "Server raised fault: 'The session is not authenticated.'"

Well off course it isn't authenticated. That's what I'm trying to do by passing it a valid cloneTicket to CloneSession() so that I can make a single SOAP call back to vCenter with the one time use token.

I've seen in the pyvmomi sample code where there is code to convert python suds cookies over to pyvmomi session cookies. The comments in the pyvmomi code note that there is no way to connect to call the CloneSession() function on vCenter through pyvmomi  without having already been logged in. Is this actually true?

This seems like a chicken or the egg problem. How can I call CloneSession() without already being logged in? Because if I could be already logged then I wouldn't need to call CloneSession().

Any suggestions on what course to take to resolve this little puzzle?

0 Kudos
5 Replies
vedaniks
Contributor
Contributor

Hello @mdmcnei ,

Were you able to solve this? I am also trying to do the same thing.

Any help is appreciated.

 

Thanks!

0 Kudos
harsha219
Contributor
Contributor

are you able to get this solved? I'm also getting the same error.

0 Kudos
lamw
Community Manager
Community Manager

The expected behavior is described in the vSphere Client Plugin SDK[1]:

To authenticate by using the Web Services API, the plug-in server clones the user session that is currently in use by the plug-in user interface. This gives the plug-in server the same access rights as the user who is logged in with the vSphere Client.

This means that your plugin authenticates _when_ the end-user logs into vSphere UI and access your plugin, which is where the session will then be cloned from

1 - https://vdc-repo.vmware.com/vmwb-repository/dcr-public/91497cba-e580-415b-a84f-2840c1fb8119/71cc9624...

0 Kudos
harsha219
Contributor
Contributor

why doesn't the ServiceInstance class not available in vim25? If I'm using the code as given in that document, it is not able to import ServiceInstance and SessionManager classes. Which other jar file do I need to include?

0 Kudos
mdmcnei
Contributor
Contributor

I think that you are misunderstanding the question.

I have successfully deployed the plugin and have gotten a valid cloneTicket back from Vcenter for the currently logged in session. I pass that cloneTicket to the remove server where I attempt to make the SOAP client call the SessionManager.CloneSession() function and pass it the cloneTicket in order to get a user session from which I can use the key. The vCenter server errors with: "Server raised fault: 'The session is not authenticated.'"

Referencing the documentation link you provided, on page 94 I have successfully gotten through step 6. It is when I attempt to use this clone ticket that I have gotten from the logged in user session that the Web Client API complains that the current Web Client session isn't authenticated. 

Although I cannot find this in the VMware documentation anywhere, I speculate that you are required to already have a vCenter User defined and use that login/password combination to first establish your Web Client API session. I would assume that best practice would be to create the vCenter user to have 'No Access' but to a have valid username/password combo.  Use that account/password combo to login to the Web Client API for the initial session. Grab the clone ticket and get the key from the user. Then use that key to clone the user's session onto your Web Client session, i.e. the one with 'No Access'.

This would explain why there are vCenter users used by VMware's internal plugins like HA, etc. Users like kbrtgt, waiter, etc. exist for a reason and I assume that this is how it works. But we all know what happens when you assume. However, since I can't find any documentation on this process all of this is merely speculation.

It would be most appreciated if you were to provide actual documentation that spelled out this SOAP process. The Developing Remote Plug-ins guide only provides several lines of Java Code in an attempt to explain the SOAP interaction and none of the Java code is documented.

0 Kudos