12 Replies Latest reply on Dec 10, 2018 6:27 AM by pmwurst

    Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance

    Edukate Novice

      Hi

       

      I've created a simple script that connect to each of our vCenter Servers and obtains total number of VMs and Hosts and e-mails it to me once a month.  Untill recently we had only vCenter 6 for Windows in our environment, however now we have introduced vCenter 6.5 Appliance in our environment.

       

      There are few lines of code for each vCenter Server in the script, basically all it does is
      1. Connects to vCenter Server

      2. Obtains total number of VMs managed by the vCenter Server

      3. Saves it as a variable

      4. Obtains total number of hosts managed by the vCenter Server

      5. Saves it as a variable

      6. Disconnects from vCenter Server

       

      Above process is repeated for each vCenter Server, at the end the script will e-mail results.  The script is working just fine if we are connecting to vCenter 6.0 for Windows, however when it attempts to connect vCenter 6.5 Appliance it prompts for credentials.  If I enter the same credentials I'm logged on with it executes code for that vCenter Server and goes to the next one.  If next one is vCenter 6.5 Appliance it prompts for credentials again.

       

      vCenter 6 and vCenter 6.5 Appliance are configured the same, using the same default authentication domain which is an AD.

       

      PS Version is 5.1 Build 14409 Revision 1012 and PowerCLI 6.5.4.7155375

       

      Does anybody have any idea why this is happening with vCenter 6.5 Appliance?

        • 1. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
          LucD Guru
          User ModeratorsCommunity WarriorsvExpert

          Could you have some CredentialStoreItem entries for the old vCenter and not for the new VCSA?

          Check with Get-VICredentialStoreItem.

           

          Another possibility is that you didn't add the authentication domain, for example AD, to your VCSA's SSO.

          If you do the Connect-VIServer under an AD account, you need to have AD added as an authenticator domain, and you need to have added your current AD account added as a Pricipal (or a group to which this account belongs).

          Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
          • 2. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
            Edukate Novice

            Thank you for your prompt response

             

            Thank you LukD for prompt response.

             

            I've attached the script as is, as you can see it's pretty simple script and I'm not using any stored credentials.

             

            Interestingly the script is running fine if I manually execute it in installable PowerCLI 6.5.1 build 5377412. I'm not prompted for any credentials, it's using credentials I used to logon to the Server to connect to each VC Server.  However, if I execute the same script on the same Server using PowerShell console then I get prompted for credentials but only when attempting to connect to VCSAs not Windows instances.  Once credentials are supplied it executed commands moves to the next VCSA and prompts for credentials again.

             

            And just to confirm, Yes, both VCSAs and Windows instances are using the same AD domain for authentication and that same domain is default\primary authentication source across all SSOs.

             

             

            Get-Module -Name VMware* –ListAvailable | Import-Module

             

            # Get VM total for DatacentreA Resources VC6

            Connect-VIServer -Server RESVC60DCA.domain.com.au

            $TotalVMsDCAres6 = Get-VM

            $TotalVMsCountDCAres6 = $TotalVMsDCAres6.count

            Write-Host "There are $TotalVMsCountDCAres6 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCAres6 = Get-VMHost

            $TotalVMHostsCountDCAres6 = $TotalVMHostsDCAres6.count

            Write-Host "There are $TotalVMHostsCountDCAres6 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get totals for DatacentreA Managment VC6

            Connect-VIServer -Server MGTVC60DCA.domain.com.au

            $TotalVMsDCAmgt6 = Get-VM

            $TotalVMsCountDCAmgt6 = $TotalVMsDCAmgt6.count

            Write-Host "There are $TotalVMsCountDCAmgt6 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCAmgt6 = Get-VMHost

            $TotalVMHostsCountDCAmgt6 = $TotalVMHostsDCAmgt6.count

            Write-Host "There are $TotalVMHostsCountDCAmgt6 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get VM total for DatacentreB Resources VC6

            Connect-VIServer -Server RESVC60DCB.domain.com.au

            $TotalVMsDCBres6 = Get-VM

            $TotalVMsCountDCBres6 = $TotalVMsDCBres6.count

            Write-Host "There are $TotalVMsCountDCBres6 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCBres6 = Get-VMHost

            $TotalVMHostsCountDCBres6 = $TotalVMHostsDCBres6.count

            Write-Host "There are $TotalVMHostsCountDCBres6 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get VM total for DatacentreB Management VC6

            Connect-VIServer -Server MGTVC60DCB.domain.com.au

            $TotalVMsDCBmgt6 = Get-VM

            $TotalVMsCountDCBmgt6 = $TotalVMsDCBmgt6.count

            Write-Host "There are $TotalVMsCountDCBmgt6 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCBmgt6 = Get-VMHost

            $TotalVMHostsCountDCBmgt6 = $TotalVMHostsDCBmgt6.count

            Write-Host "There are $TotalVMHostsCountDCBmgt6 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get VM total for DatacentreA Resources VC 6.5

            Connect-VIServer -Server RESVC65DCA.domain.com.au

            $TotalVMsDCAres65 = Get-VM

            $TotalVMsCountDCAres65 = $TotalVMsDCAres65.count

            Write-Host "There are $TotalVMsCountDCAres65 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCAres65 = Get-VMHost

            $TotalVMHostsCountDCAres65 = $TotalVMHostsDCAres65.count

            Write-Host "There are $TotalVMHostsCountDCAres65 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get totals for DatacentreA Managment VC 6.5

            Connect-VIServer -Server MGTVC65DCA.domain.com.au

            $TotalVMsDCAmgt65 = Get-VM

            $TotalVMsCountDCAmgt65 = $TotalVMsDCAmgt65.count

            Write-Host "There are $TotalVMsCountDCAmgt65 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCAmgt65 = Get-VMHost

            $TotalVMHostsCountDCAmgt65 = $TotalVMHostsDCAmgt65.count

            Write-Host "There are $TotalVMHostsCountDCAmgt65 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get VM total for DatacentreB Resources VC 6.5

            Connect-VIServer -Server RESVC65DCB.domain.com.au

            $TotalVMsDCBres65 = Get-VM

            $TotalVMsCountDCBres65 = $TotalVMsDCBres65.count

            Write-Host "There are $TotalVMsCountDCBres65 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCBres65 = Get-VMHost

            $TotalVMHostsCountDCBres65 = $TotalVMHostsDCBres65.count

            Write-Host "There are $TotalVMHostsCountDCBres65 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Get VM total for DatacentreB Management VC 6.5

            Connect-VIServer -Server MGTVC65DCB.domain.com.au

            $TotalVMsDCBmgt65 = Get-VM

            $TotalVMsCountDCBmgt65 = $TotalVMsDCBmgt65.count

            Write-Host "There are $TotalVMsCountDCBmgt65 Virtual Machines in $DefaultVIServer"

            $TotalVMHostsDCBmgt65 = Get-VMHost

            $TotalVMHostsCountDCBmgt65 = $TotalVMHostsDCBmgt65.count

            Write-Host "There are $TotalVMHostsCountDCBmgt65 Hosts in $DefaultVIServer"

            disconnect-viserver * -Confirm:$false

             

            # Email results to Virtualisation team

            $EmailTo = "emailaddress@doman.com.au"

            $EmailFrom = "powercli@doman.com.au"

            $EmailSubject = "Monthly Report - VM & Host Tally"

            $SMTPSRV = "mail.domain.com.au"

            send-Mailmessage -To $EmailTo -From $EmailFrom -Subject $EmailSubject -SmtpServer $SMTPSRV -Body "Total Number of VMs per VC

            RESVC60DCA = $TotalVMsCountDCAres6

            MGTVC60DCA = $TotalVMsCountDCAmgt6

            RESVC60DCB = $TotalVMsCountDCBres6

            MGTVC60DCB = $TotalVMsCountDCBmgt6

            RESVC65DCA = $TotalVMsCountDCAres65

            MGTVC65DCA = $TotalVMsCountDCAmgt65

            RESVC65DCB = $TotalVMsCountDCBres65

            MGTVC65DCB = $TotalVMsCountDCBmgt65`n`n

            Total Number of Hosts per VC

            RESVC60DCA = $TotalhostsCountDCAres6

            MGTVC60DCA = $TotalhostsCountDCAmgt6

            RESVC60DCB = $TotalhostsCountDCBres6

            MGTVC60DCB = $TotalhostsCountDCBmgt6

            RESVC65DCA = $TotalhostsCountDCAres65

            MGTVC65DCA = $TotalhostsCountDCAmgt65

            RESVC65DCB = $TotalhostsCountDCBres65

            MGTVC65DCB = $TotalhostsCountDCBmgt65"

            • 3. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
              LucD Guru
              User ModeratorsvExpertCommunity Warriors

              There have been a couple of threads related to SSPI vs VCSA 6.5 in the last days.

              Can you check if any of the replies/questions in there can help?

              Connect-VIServer asks the credentials

              Connect-VIServer without prompting for user

              Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
              • 4. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                Redhatcc Novice

                Assuming you are running this by clicking Powershell, have you tried right clicking > run as administrator then trying the script?

                • 5. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                  Edukate Novice

                  Hi LucD

                   

                  Sorry about delayed response, long story short I was not able to respond earlier. 

                   

                  In my inital troubleshooting I came across both of threads you suggested to look at and I've also read the mentioned KB article.

                   

                  The issue here is that I'm not having authentiation issues when connecting to VCSA 6.5 via PowerCLI or directly via WebClient.  Issue is occuring only when attempting to do so when running script in PowerShell windows or if the script is scheduled as a task in Windows Scheduling Service, which calls PowerShell command prompt and not PowerCLI.

                   

                  Also, the issue is not present if connecting to vCenter Server for Windows, however that version is 6.0.

                   

                  In both environments PSC servers are external and SSO is configured with same AD as primary authentication source.

                  • 6. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                    Edukate Novice

                    Yes, the PowerShell windows is run as Administrator, not that it should matter as it connect just fine to vCenter Server for Windows 6.0 but not to VCSA 6.5.

                    • 7. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                      Edukate Novice

                      I've run this issues by our Windows gurus and after some further troubleshooting we came across a post by Alan Renouf Connect-VIServer fails to pass current logged on credentials to VC where he explains the issue and points to VMware Knowledge Base KB2050701.

                       

                      As I'm told, what seems to be the issue is that VCSA itself is not AD domain member, so in order for it to use credentials it has to authenticate with AD.  However, if we added the appliance to the domain that is used as authentication source in SSO then it would be accepting passed-through credentials.

                       

                      I'll have to do some further testing on this in our UAT environment before I start making any drastic changes to our prod servers.

                      • 8. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                        LucD Guru
                        User ModeratorsCommunity WarriorsvExpert

                        Just some remarks/questions.

                        • that KB only goes to VCSA 6.0 not VCSA 6.5
                        • Alan's post mentions that the VC is in the domain, so there has been a join for the VC
                        • did you see the entry in the vpxd log that the KB is referring to
                        • does the Verbose switch provide any extra info
                        Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                        • 9. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                          sspikent Novice

                          Edukate - Did you get anywhere with this? I'm having exactly the same issue here.

                          • 10. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                            stevespike Novice

                            Ah,

                            Upgraded from

                            vCenter Server 6.5.0 build-7801515 to

                            vCenter Server 6.5.0 build-8024368

                             

                            and it stopped this behaviour for me.

                            • 11. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                              MisterP81 Lurker

                              I have found the solution in my case, the VCSA wasn't joined to the domain and my PSC is external.

                              Common "mistake" it seems, since the option to join the appliance isn't showing in the GUI for the VCSA and one could assume that if the PSC is joined, it's ok, since it contains the SSO.

                              Please refer to this article in the VMware Knowledge Base to join the VCSA appliance itself to the AD.

                              After that I could do a connect-VIServer without having to enter my credentials again.

                              • 12. Re: Scripted Connect-VIServer prompts for credentials when connecting to vCenter 6.5 Appliance
                                pmwurst Lurker

                                Thanks a lot for your hint, MisterP81!!
                                We were facing the same scenario (VCSA 6.5 with external PSC joined to AD) and did not see that (for whatever reason) our VCSA wass not updating it's AD info / credentials using LW since 4 months...
                                Re-joining to AD and rebooting the VCSA helped and scripting is now possible again without creds-prompt.