Connect-VIServer without prompting for user

JoelFC · ‎06-02-2016

Hello.

We have more than one vSphere, each with its own vCenter. When I connect to the Prod vCenter by Connect-VIServer, it just connects successfully using the currently logged in user credentials.

This behavior changes when connecting to the other vCenters. It prompts for a username and password. If I then insert the logged in user credentials, it connects successfully.

I need that all of them allow to connect using the logged in user credentials, specially because I need to run a script by scheduled task, but it's not working for this reason.

Do you know how do I fix this?

Thank you!

LucD · ‎06-02-2016

Did you already check KB2034506, more specifically point 1.c ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Tocano · ‎06-02-2016

I also have multiple vSphere/vCenters. Is there some requirement why you have to use the credential passthru approach? I connect to each one using an xmlcli credential file. You can create them easily like follows:

Get-Credential | Export-Clixml [scriptsPath]\Credentials\[username].clixml

I then have a function (loaded in my profile) that will allow me to specify just a vcenter and a username:

function vConnect ($vCenterName,$credFileName) {

Connect-Viserver $vCenterName -Credential (Import-clixml "[scriptsPath]\Credentials\$($credFileName).clixml")

}

So to connect, all I have to type is:

> vConnect [vCenterName] [username]

This provides me with some flexibility to connect to different vCenters as different users in different contexts with very little difficulty.

NOTE: Be aware that the clixml files are tied to a specific user acct. Whatever user you are to create them will be the only user who can use that clixml file. So plan accordingly.

JoelFC · ‎06-03-2016

Hi.

I guess the mentioned KB isn't related. I'm not getting an error when I try to connect, nor the description applies.

The thing is that when I connect to the vCenter just typing "Connect-VIServer <servername.domain.com>" on the Power-CLI, it connects successfully to one of the vCenters, without the need to type in any other info. But it does not connect automatically to the other vCenters, which in this case it pops-up a login window, that will successfully login if I enter the logged-in user credentials manually. If I type nothing and just click ok on the login window, it returns the error "Could not determine user name and/or password for server".

So, the logged-in user has permissions, and the context login is a feature that should work.

I do not wish to use credential files. The purpose is to run a windows scheduled job launching a powerCLI script, using the credentials I set on the scheduled task. I've already configured this and it works for one vCenter, but not for the others as per the described behavior.

The vCenter that works is a Windows vCenter 5.5. The other two that doesn't work, one is a vApp vCenter 5.5 and the other is a vApp vCenter 6.0.

Is there any setting to enable / disable the context user login? What could be preventing it from working?

Thank you.

JoelFC · ‎06-03-2016

I found a lead.

If I connect using the -verbose switch, I get additional info. I get this on the console:

VERBOSE: Attempting to connect using SSPI

VERBOSE: Reversely resolved 'servername' to 'servername.dom.pt'

VERBOSE: SSPI Kerberos: Acquired credentials for user 'dom\username'

VERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host/servername.dom.pt'

VERBOSE: Cannot complete login due to an incorrect user name or password.

VERBOSE: Connect using SSPI was unsuccessful

What do you make of this?

Thank you.

LucD · ‎06-03-2016

Well, it does look like an authentication issue.

The SSO has the concept of a default domain (as the KB explained).

For other domains than this, you'll have to specify the full user info.

Did you already try from a session (Windows) where you logged on with username@dom instead of dom\username ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

JoelFC · ‎06-28-2016

Hi Luc.

My last post from yesterday wasn't supposed to be deleted, but anyway...

I've tried your suggestion and attempted to run the task both with "domain\user" and "user@domain" for the Windows login, but still the same. I guess this is expected, because the Pass-through should be sending the logged-in session to the vCenter server equally, despite the way you logged-in to the Windows session in the first place. All that should matter is that the user can login to Windows (and run powerCLI), and has rights on the vSphere.

The vCenter on which Pass-through credentials are working, is a Windows vCenter, on which I'm attempting to run this automated job. Maybe it is working because I'm connecting to itself? I can't test connecting locally to the other vCenters which pass-through doesn't work because the others are not Windows vCenter, they're vApps.

As stated in many sites, if I just do "Connect-VIServer -Server vcenter01" it should connect naturally with the pass-through but it does't.

All clue I have is the verbose from the previous post.

Any other thoughts?

LucD · ‎06-28-2016

I'm not so sure that pass through will simply work in a SSO setup.

Point 1.c in the KB I referred to earlier, mentions that as well (the concpet of the default domain in SSO).

If that default domain is not set to the AD domain you are logged into, the pass through is not supposed to work afaik.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

JoelFC · ‎06-28-2016

I've checked and there is a funny thing.

The server that connects ok with pass-through, has the "localos" as the default domain, as well as one of the servers that doesn't connect. I've set this one to the correct default domain but the issue is still on.

The third server that also doesn't connect, was already with the correct default domain. So I have different settings/behaviors that exclude each others.

Unfortunately this doesn't seem to be the issue yet.

If I decide to go with a credfile, what is the syntax to use it? I've created a credfile successfully but couldn't find out how to call it to establish the connection.

LucD · ‎06-28-2016

Have a look at 1. Re: Need assistance with creating and then using stored credentials

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

JoelFC · ‎06-28-2016

Just tested it successfully, I was able to connect using the credfile.

It really puzzles me why doesn't pass-through work for two of the servers. What credentials is it passing to the server, so it would fail?

I can't waste more time over this, so I'll go with the credfile.

I was avoiding it because even encrypted, it is still a password of a user with high permissions written to a file. Anyone with access to the credfile will be able to use it with PowerCLI and do anything.

Thank you for the help Luc.

LucD · ‎06-28-2016

Access to the file and access to the account that created the file

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

0Walt0 · ‎06-28-2016

When connecting to vCenter, I noticed that I have to use Connect-CIServer instead of Connect-VIServer, since they use separate networking protocols.

With that said, all commands that you would originally use, such as Get-VM, must now have CI prepended to the noun of the command, i.e Get-CIVM.

If you try using Get-VM, then you'll just get an error that you're not connected to a server.

In addition, commands like Get-Template as used in vSphere to get any template will have, along with the prepended CI, different names, i.e Get-CIVMTemplate.

Hope this helps!

LucD · ‎06-28-2016

Isn't Connect-CIServer meant for Cloud servers ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

0Walt0 · ‎06-28-2016

You're totally right, and I misread the post :smileyblush:

LucD · ‎06-28-2016

No problem, happens to me as well

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

JoelFC · ‎06-30-2016

Access to the file and access to the account that created the file

You are right. I had to create the credfile with the same user that runs the job, otherwise it wouldn't work.

Thank you for the hint, as I didn't know this, and wouldn't understand why credfile didn't work at first.

MatthieuG · ‎01-07-2018

Hi,

I had the same issue, maybe my configuration was different because I have External PSC, but this is what I've done to solve it.

For an unknow reason VCSA was out of the AD Domain, while the computer account was still visible in the Windows MMC.

Because my PSC was still properly in the AD Domain, everything was fine for the WebClient, only powercli was impacted.

Just follow this kb to put it back : The option to join vCenter Server Appliance 6.x to an Active Directory domain is unavailable in the ...

The command line /opt/likewise/bin/domainjoin-cli query show an empty Domain.

I had to remove the computer account from the windows MMC, because add it directly give me the error LW_ERROR_LDAP_INSUFFICIENT_ACCESS (code 0x00009d8b]

After that I just have to properly add the VCSA with /opt/likewise/bin/domainjoin-cli join domain.com Domain_Administrator Password

When the operation is a succes the authentication is transparent again.

LucD · ‎01-07-2018

Thanks for sharing that!

I'm wondering if this problem could be fixed from the AD side by resetting the secure channel to the VCSA.

Either through the netdom command or with the Reset-ComputerMachinePassword?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference