VMware Cloud Community
GMCON
Enthusiast
Enthusiast

Issue with vCO and Powershell plug-in

I am currently using vRO 6.0 along with the PowerShell plug-in 1.0.5 and am having issues running workflows executing active directory command powershell scripts.  My plug-in and powershell host are set up using kerberos authentication http.  I am able to successfully execute vRO powershell workflows for using the vSphere powercli to connect to ESXi hosts to do certain things and that works fine.  I need to create powershell scripts though so I can connect to multiple different domain controllers to create objects on specific servers to overcome replication times.  My scripts work fine, if I execute them locally on the host then everything is successful.  If I try and execute the same script calling it through vRO I get the error stack below from the logs window on the workflow and it fails within seconds.  I have seen some posts about using CredSSP but supposedly that is just if you can't use kerberos.  The host I am using is just a domain member not a DC but has the AD powershell modules loaded on it and as I said the script executes perfectly fine as long as it is not executed through vRO.  Any ideas would be greatly appreciated.

PowerShellInvocationError: Errors found while executing script

Microsoft.ActiveDirectory.Management.ADServerDownException: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. ---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:59.9970000'. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:59.9970000'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)

   at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)

   --- End of inner exception stack trace ---

   at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)

   at System.ServiceModel.Channels.SocketConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)

   at System.ServiceModel.Channels.ConnectionStream.Read(Byte[] buffer, Int32 offset, Int32 count)

   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)

   at System.Net.Security.NegotiateStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.NegotiateStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.NegotiateStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

   --- End of inner exception stack trace ---

   at System.Net.Security.NegotiateStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.NegotiateStream.Read(Byte[] buffer, Int32 offset, Int32 count)

   at System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)

   --- End of inner exception stack trace ---

Server stack trace:

   at System.ServiceModel.Channels.StreamConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)

   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)

   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)

   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)

   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

4 Replies
DArndt
Enthusiast
Enthusiast

The authentication is only to the local host and processes that run on that local host.  To use the AD authentication when calling remote services you will need to setup CredSSP since it would be construed as a security risk if it was setup that way as default, there are policies you will need to enable to get it to work.

You can use this article to get it setup and working.

http://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/

One specific note is that it is actually not working with the powershell plug-in but the article explains why and also how to work around it.  I just went through this whole issue and have mentioned this to VMware product management, please take the time to let VMware know you would like this fixed also.

-Dave

DLally
Enthusiast
Enthusiast

So your article helped me out a lot.  I've setup a client/host in separate domains and am able to invoke powershell scripts and external scripts.  I'm just stuck at using CredSSP to authenticate to run powershell scripts against active directory.

I'm still getting this error

Microsoft.ActiveDirectory.Management.ADServerDownException: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. ---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:02:00'. ---> System.IO.IOException: The read operation failed, see inner exception.

Reply
0 Kudos
matcmac
Contributor
Contributor

Hi,

Have you found a solution without using CredSSP?

I have a script that does a Get-ADUser (Only)

When I run it in console or in ISE (Same user account, same credential etc...) it work.

But when I run it from VRO, I get the same error as yours (Unable to contact this server...)

Thanks for your help

Reply
0 Kudos
mannu07
Contributor
Contributor

Hi,

I'm facing similar error while executing AD commands. Please let know if you got a solution for this issue.

Thanks,

Manu

Reply
0 Kudos