8 Replies Latest reply on Feb 21, 2019 3:30 AM by Sanjuro

    connect-viserver not passing thru user credentials in Windows 2016

    GalNeb Enthusiast

      I have been fighting this for quite some time.  When I run "connect-viserver servername" it will prompt me for the logon credentials in our Windows 2016 jump box, but it works just fine in our older 2008 jump boxes.  PowerCLI is the latest version on both, so is our VCSA 6.5, external PSC.  Both the VCSA and PSC are joined to the domain.

      I have boiled this down to an encryption problem.  Due to DOD STIG (security) requirements, the registry key HKLM/software/microsoft/windows/currentversion/policies/system/kerberos/parameters/SupportedEncryptionTypes is different in Windows 2016.  in 2016 it is 7ffffff8, in 2008 it is 7ffffffc.  Changing this value fixes the problem.  This bit change controls RC4-HMAC.  In other words, we have to enable RC4-HMAC to allow PowerCLI to properly pass thru the credentials.  This is not acceptible on soooo many levels.

      How do we get PowerCLI to properly passthru credentials without enabling RC4-HMAC?

        • 1. Re: connect-viserver not passing thru user credentials in Windows 2016
          LucD Guru
          User ModeratorsCommunity WarriorsvExpert

          In the about_server_authentication help page, the authentication process is described.

          The order:

          • User-Password/Credential
          • A single CredentialStoreItem
          • SSPI

           

          It's the last one (SSPI) that requires RC4-HMAC (see RFC 4757).

          And that is a Microsoft thing afaik, not something specific to PowerCLI.

          • 2. Re: connect-viserver not passing thru user credentials in Windows 2016
            GalNeb Enthusiast
            yes, the SSPI is failing because RC4-HMAC is turned off by the Registry key.  So the question is how to make this work without using a protocol that is deemed unsecure by about everyone in the world.
            • 3. Re: connect-viserver not passing thru user credentials in Windows 2016
              LucD Guru
              Community WarriorsUser ModeratorsvExpert

              As I see it, this is more of a feature request than an issue.

               

              In Windows environment the Connect-VIServer cmdlet has been using the SSPI mechanism provided by the OS.

              Since it is deemed insecure, that SSPI mechanism is disabled by many.

              So it will not work anymore.

              And there is no solution to still provide SSPI and avoid the insecure mechanism afaik.

               

              The same is true when you run that same Connect-VIServer on other platforms than Windows.

               

              I would suggest to launch a new idea for this request on the PowerCLI Ideas site.

              • 4. Re: connect-viserver not passing thru user credentials in Windows 2016
                GalNeb Enthusiast

                I did as you suggested and created a request on the PowerCLI site in early October.  Now end of December and there has been no response from anyone on the PowerCLI team.  I don't know if they are paying any attention to that suggestion site or not.

                • 5. Re: connect-viserver not passing thru user credentials in Windows 2016
                  LucD Guru
                  User ModeratorsCommunity WarriorsvExpert

                  There are quite a number of ideas on that site, and not all of them have the same number of people backing them (votes).
                  And most probably some of these ideas require serious resources to implement.

                  The PowerCLI Team does implement some of these over time, but it depends on several factors.

                   

                  You could try to contact the PowerCLI PM directly and plead your case.
                  Are you on VMware{code} Slack in the PowerCLI channel?

                  The PM is on there as well.
                  Otherwise reach out via your TAM.

                   

                  I'm not working for VMware, so I can't use any of their internal channels I'm afraid.

                  • 6. Re: connect-viserver not passing thru user credentials in Windows 2016
                    ChuckVA Lurker

                    Me Too

                    RC4-HMAC disabled.

                    Windows 2012

                    SSPI Kerberos Error Code : 0x80090342

                     

                    Better yet (worse),  I am not able to authenticate with Smart Card (CAC)

                    User name and password required.

                    • 7. Re: connect-viserver not passing thru user credentials in Windows 2016
                      Sanjuro Novice

                      GalNeb,

                       

                      Same environment and same issue. The fix was a combination of things:

                       

                      The AD accounts for both your 2016 jumpboxes, your vCenter and PSC must be set to allow for Kerberos authentication encryption in AD. This is also required for your service/user accounts. The user accounts are easy to do. All you have to do for them is open up the account properties and click on the account tab. In the Account options scroll down and click the boxes for "This account supports Kerberos AES 128bit encryption." and "This account supports Kerberos AES 256 bit encryption." That's it for the users. The AD accounts need to be done with powershell Below is the check script and the fix script:

                       

                      Check:

                       

                      Get-ADComputer -filter * -SearchBase "OU="your OU",DC="Your domain path"" -Properties msDS-SupportedEncryptionTypes,KerberosEncryptionType | select Name,msDS-SupportedEncryption TypesKerberosEncryptionType | sort msDS-SupportedEncryptionTypes | FT

                       

                      The output will list the computer objects in your OU and their Kerberos Encryption type. When you create a computer account manually this creates a blank value in this field so you have to run the bottom command to set them to AES 128 and AES 256

                       

                      Set-ADComputer -Identity "YourComputerName" -Replace @{"msDS-SupportedEncryptionTypes"="24"}

                       

                      I'm sure LucD could come up with a script for multiple systems. If you set the above value to "28" then that will forcefully include AES128, AES 256 and RC4. "24 is just the AES 128 and 256.

                       

                      You need to make sure you make this change to the jumpbox and the vCenter and PSC appliance AD computer accounts.

                       

                       

                      Hope this helps. It was the fix for our stuff.

                      • 8. Re: connect-viserver not passing thru user credentials in Windows 2016
                        Sanjuro Novice

                        I made a mistake in the check script in the select fields area. It should read:

                         

                        Select Name, msDS-SupportedEncryptionTypes , KerberosEncryptionType