1 2 3 Previous Next 31 Replies Latest reply on Nov 8, 2017 12:27 PM by daphnissov

    vRO + PowerShell plugin --> Get-Tag failure

    jonathank71 Novice

      vCenter 6.5d and e (tested with single VCSA/PSCA and three linked VCSA and external PSCA)

      vRO 7.2.0.4629841 (built-in service in vRA 7.2.0.4659752, PS plugin @ 1.0.11)

      PS script host tested with Windows 2008R2 and 2016 (connected with HTTPS, WinRM, shared session, Kerboros, and a domain cert)

       

      Test script as follows:

      Import-Module vmware.VimAutomation.core

      Connect-VIServer -Server 'vcenter.company.loc' -User 'domain\account' -Password 'password'

      $TagList = Get-Tag

       

      Which results in:

      PowerShellInvocationError: Errors found while executing script

      Get-Tag : 8/8/2017 9:37:46 PM Get-Tag vSphere single sign-on failed for connection

      '/VIServer=domain\account@vcenter.company.loc:443/'. Future operations which require single sign-on on this

      connection will fail. The underlying cause was: The requested operation cannot be completed. The computer must be

      trusted for delegation and the current user account must be configured to allow delegation.

       

      That all being said... this worked prior to our upgrade to 6.5 from 6.0.  (and still does work to a 6.0 vCenter)  If I change the server name to a 6.0 vCenter in the connection string it works as expected.  6.5 vCenter.... errors.  What changed in the upgrade?

       

      Does anyone think an vRO update to 7.3 would help?

        • 1. Re: vRO + PowerShell plugin --> Get-Tag failure
          daphnissov Guru
          Community WarriorsvExpert

          What version of PowerCLI do you have on your PS host? Also, there is v1.0.13 of the PS plug-in you can use, not that I'd expect it to fix this.

          • 2. Re: vRO + PowerShell plugin --> Get-Tag failure
            jonathank71 Novice

            PowerCLI is 6.5.0.234.  (before and after the vSphere 6.5 upgrade)

             

            Didn't know there was an update for the PS plugin.  I'll give it a shot.  I don't have high hopes though.  Seems like a bug in the PowerCLI cmdlet and how tagging works now.  I thought I read a post that tagging changed fundamentally in the backend.

            • 3. Re: vRO + PowerShell plugin --> Get-Tag failure
              daphnissov Guru
              Community WarriorsvExpert

              Just to be on the latest, you should probably get PowerCLI 6.5.2. You must remove 6.5 before you install 6.5.1, but you can grab that from the PowerShell Gallery (Install-Module VMware.PowerCLI).

              1 person found this helpful
              • 4. Re: vRO + PowerShell plugin --> Get-Tag failure
                jonathank71 Novice

                Uninstalled PowerCLI and did a Install-Module on the scripthost.  It loaded and now reports: 6.5.2.6234650.

                 

                Still sad panda.  Same error message.  Going to try the plugin update as soon as I get a window in vRA.

                • 5. Re: vRO + PowerShell plugin --> Get-Tag failure
                  daphnissov Guru
                  vExpertCommunity Warriors

                  Hmm. With that updated PowerCLI, can you manually connect to vCenter and do a Get-Tag?

                  • 6. Re: vRO + PowerShell plugin --> Get-Tag failure
                    jonathank71 Novice

                    Get-Tag has always worked from a PS console.  It's just when vRO kicks off the script in the scripthost that Get-Tag errors out.

                     

                    FWIW, I updated the PS plugin to .13 and the error remains.

                    • 7. Re: vRO + PowerShell plugin --> Get-Tag failure
                      igaydajiev Expert
                      VMware Employees

                      >The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

                       

                      Powershell Plugin is doing the call from remotely. Which enforce different security context compared to running it directly on PS host machine.

                      You should receive same error if you invoke the command remotely for example by using winrs or winrm client and you use KERBEROS authentication with disabled delegation.

                      Multi-Hop Support in WinRM (Windows)

                       

                      One option to overcome this issue is to use CredSSP authentication. Note that this authentication is not supported by PS plugin directly.

                      Here is a blog on the topic how to overcome multi hop issue in vRO Multi-hop | Spas Kaloferov's Blog 

                      1 person found this helpful
                      • 8. Re: vRO + PowerShell plugin --> Get-Tag failure
                        Uridium454 Novice

                        I have a couple of questions and a couple of links that may be of some help to you.

                         

                         

                        1) Are you able to run this script from your vRA PowerShell host using your creds?

                        2) If you are able to run as yourself, can you run it as a service account that would have the necessary access? (Please see link below for storing and using creds)

                         

                        Storing and using creds in PS - Storing Passwords to Disk in PowerShell with Machine-key Encryption | Tome's Land of IT

                         

                        #Example script for retrieving tags using the stored cred

                        $encrypted = Import-Clixml 'C:\temp\do_not_delete.xml'           

                         

                        $key = (1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1)           

                         

                        $csp = New-Object System.Security.Cryptography.CspParameters

                        $csp.KeyContainerName = "SuperSecretProcessOnMachine"

                        $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore

                        $rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 5120,$csp

                        $rsa.PersistKeyInCsp = $true           

                         

                        $password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key

                        $cred = New-Object System.Management.Automation.PsCredential 'myDomain\tome',$password

                         

                        if(!(Get-Module VMware.VimAutomation.Core)){

                             Import-Module VMware.VimAutomation.Core

                        }

                         

                        Connect-VIServer -Server 'vcenter.company.loc' -Credential $cred

                         

                        $TagList = Get-Tag

                        $TagList

                         

                         

                        Retrieving the values in vRO will require a bit more work.  You could use the following to parse through the returning values.

                        var result = output.getRootObject();

                        var val = "";

                         

                        if( Object.prototype.toString.call( result ) === '[object Array]' ) {

                            for each(var r in result){

                                  val += r;

                             }

                        }else{

                             val = result;

                        }

                         

                        for each(var v in val){

                             System.log("Tag Name: " + v);

                        }

                         

                         

                        As igaydajiev mentioned in previous reply, you will want to be using WINRM when you setup your PS host if you haven't already done so.  There are several blogs with the needed information out there.  The following was quite helpful to me when I setup my PS hosts - [vCO PowerShell plugin] How to set up and use Kerberos authentication - VMware vCenter Orchestrator Blog - VMware Blogs

                         

                        Hope this helps a bit, or at least gets you pointed in the correct direction.

                        • 9. Re: vRO + PowerShell plugin --> Get-Tag failure
                          jonathank71 Novice

                          My biggest red flag for this is that it was working in vCenter 6.0 and then stopped working in 6.5.  All things being the same, something changed in vCenter and how tagging works now.  And it's just the tagging functions in PowerCLI/vRO.  Everything else works as it did in 6.0.

                           

                          I've hard coded domain credentials as well as SSO creds.  Same error.

                           

                          WinRM is setup and functional and used elsewhere in the script/workflows.

                          Credssp is also being used elsewhere without issue.  There is no parameter in Get-Tag to use Credssp authentication.  There really shouldn't be a need for it.

                          The domain service account and both server AD objects are set for delegation.  (didn't need this before 6.5)

                           

                          Unless someone can verify that Get-Tag is working in a Powershell script called from the PowerShell plugin in vRO, I'm considering this a bug as I'm out of ideas and things to update/upgrade.

                           

                          I did manage to wrap Get-Tag in a Invoke-Command using Credssp on localhost.  And that worked.  It's a bit of a pain and a kludge, but it's working.  I'm now creating a set of functions to replace the native tag cmdlets that work with a persistent pssession and Credssp.

                          • 10. Re: vRO + PowerShell plugin --> Get-Tag failure
                            flynmooney Enthusiast

                            We have been looking at upgrading since update 1 was released and I have a sandbox environment where I can reproduce the same error when running get-tag and get-tagassignment, however when I run get-vmhost or get-cluster through vRO it works just fine.  It appears to be only related to tags.

                            1 person found this helpful
                            • 11. Re: vRO + PowerShell plugin --> Get-Tag failure
                              igaydajiev Expert
                              VMware Employees

                              Ok! This looks like change in PowerCLI tagging functionality.

                               

                              Could you try same vRO/PowerShell plugin against different PS host running older version of PowerCLI(the one that used to work before)

                              Also you can try to invoke tagging functionality with winrm/winrs client remotely this should be prety close to what vRO is doing

                              • 12. Re: vRO + PowerShell plugin --> Get-Tag failure
                                Uridium454 Novice

                                Sorry for the delay.  Fly and I will give this a go tomorrow and get back to you with the results.

                                • 13. Re: vRO + PowerShell plugin --> Get-Tag failure
                                  jonathank71 Novice

                                  I got my Tag replacement functions functional and am retrofitting our scheduled script tasks as well as the vRO invoked scripts.

                                   

                                  Interesting side note, Get-Vm -Tag $TagObj works now.  At least it does in the Invoke-Command scriptblock using Credssp.

                                   

                                  I will be putting in an SR for this eventually.  I'll update this thread if anything comes of it.  I expect a fair amount of pushback since it's vRO/PowerShell.

                                   

                                  Thanks for everyone's input!

                                   

                                  Jonathan

                                  • 14. Re: vRO + PowerShell plugin --> Get-Tag failure
                                    flynmooney Enthusiast

                                    We've opened a ticket with VMware to dig into this. SR 17541052208

                                    1 2 3 Previous Next