Hi all,
I'm just trying to get my first workflow to run, but already stuck....
I would like to call a powershell script that uses the NetApp cmdlet "Connect-NAServer" wich needs a PSCredential as input.
I'm using the following code to generate the PS script:
script = " \n"
+ "Import-Module 'DataOntap' \n"
+ "$NAUser = '" + NAUser + "' \n"
+ "$NAPass = '" + NAPassword + "' | ConvertTo-SecureString -AsPlainText -Force \n"
+ "$NAControllers = @(" + NAControllers + ") \n"
+ "$NAcred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $NAuser,$NApass \n"
+ "ForEach ($NAController in $NAControllers) { \n "
+ "Connect-NaController $NAController -HTTP -Credential $NAcred \n"
+ "} \n";
After that I call the script as follows:
try {
session = PSHost.openSession();
output = System.getModule("com.vmware.library.powershell").invokeScript(PSHost,script,session.getSessionId()) ;
} finally {
if (session){
PSHost.closeSession(session.getSessionId());
}
}
NAPassword is an attribute of the workflow, linked to a configuration element (of type SecureString).
This always results in this error: "System.Security.Cryptography.CryptographicException: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation."
I already tried to enable delegation in AD for the powershell host. ("Trust this computer for delegation to any service (Kerberos only)"), but still no luck.
Any ideas, what is happening here?
Regards, Stefan
P.S.: The connection the the powershell host is configured to use kerberos authentification - shared authenticaiton.
a bunch of people are having similar issues which are UAC related. check my answer in this post to determine if your access levels are UAC bound.
Thanks for your answer!
UAC is disabled on all our systems. So I don't think it can be related to it.
Stefan
Hi,
I often ran powershell scripts from my workflows and it's a mess. The powershell plugin never works as you want.
What are you planning to do? call a powershell script directly and parse some paramters to it?
From my point of view it is not a vCO realted issue, you should post this to a powershell forum.
Are you allowed to start the script remotely from any other windows client?
What I do is call a cmd and parse parameters to it first and then call the powershell script locally from the cmd.
This works for me fine and never had problems after doing this.
Benefit is quiet simple, if you run a process on the guest os by vcenter api, you don't need a trusted user which is going to authenticated. you just need local permissions to start the process.
Manuel
As Manupa mentioned most likely it is not vCO related but it is caused because of powershell remoting is used.
Using powershell remotely has some restrictions especially when dealing with credentials. Common one is so called "double hop" or "multi hop" issue.
You can also check this post that got recently resolved it can provide you with some hints:
The issue I had was ConvertTo-SecureString using the PSH Plugin - Worked no issue double hopping outside of vCO but after a week of testing I gave up and had read in a few places it isn't supported.
I now use this which works perfectly:
Storing Passwords to Disk in PowerShell with Machine-key Encryption | Tome's Land of IT
Similar to what QLD referred, but a little bit more streamlined and usable: http://d-fens.ch/2013/10/24/vco-powershell-plugin-import-clixml-fails-with-system-security-cryptogra... the advantage is to use the same semantics as you do with 'Import-CliXml' and 'Export-CliXml' and you still end up with a PSCredential object.
function Import-Credential{ [CmdletBinding( SupportsShouldProcess=$true, ConfirmImpact="Low", HelpURI='http://dfch.biz/PS/System/Utilities/Export-Credential/' )] Param( [Parameter(Mandatory = $true, ValueFromPipeline = $True, Position = 0)] [string] $Path , [Parameter(Mandatory = $false, Position = 1)] [string] $KeyPhrase = [NullString]::Value ) [Boolean] $fReturn = $false; $OutputParameter = $null; try { # Parameter validation # N/A if($PSCmdlet.ShouldProcess($Path)) { $Credential = Import-CliXml $Path; if($KeyPhrase) { $KeyPhrase = $KeyPhrase.PadRight(32, '0').Substring(0, 32); $Enc = [System.Text.Encoding]::UTF8; $k = $Enc.GetBytes($KeyPhrase); $Credential.Password = $Credential.Password | ConvertTo-SecureString -Key $k; $Credential = New-Object System.Management.Automation.PSCredential( $Credential.Username, $Credential.Password); } else { $Credential = Import-CliXml $Path; } # if $fReturn = $true; $OutputParameter = $Credential; } # if } # try catch { # ... } # catch finally { # ... } # finally return $OutputParameter; } # Import-Credential
and reverse:
function Export-Credential{ [CmdletBinding( SupportsShouldProcess=$true, onfirmImpact="Low", HelpURI='http://dfch.biz/PS/System/Utilities/Export-Credential/' )] Param( [Parameter(Mandatory = $true, Position = 0)] [string] $Path , [Parameter(Mandatory = $true, ValueFromPipeline = $True, Position = 1)] [Alias('Credential')] [PSCredential] $InputObject , [Parameter(Mandatory = $false, Position = 2)] [string] $KeyPhrase = [NullString]::Value ) [Boolean] $fReturn = $false; $OutputParameter = $null; try { # Parameter validation # N/A if($KeyPhrase) { Log-Debug $fn ("Creating KeyPattern from Keyphrase ..."); $KeyPhrase = $KeyPhrase.PadRight(32, '0').Substring(0, 32); $Enc = [System.Text.Encoding]::UTF8; $k = $Enc.GetBytes($KeyPhrase); Log-Debug $fn ("Encrypting password ..."); $Cred = Select-Object -Property '*' -InputObject $InputObject; $Cred.Password = ConvertFrom-SecureString -SecureString $Cred.Password -Key $k; } else { $Cred = $InputObject; } # if if($PSCmdlet.ShouldProcess( ("Cred.Username '{0}' to '{1}'" -f $Cred.Username, $Path) )) { Log-Debug $fn ("Saving PSCredential ..."); $OutputParameter = Export-CliXml -Path $Path -InputObject $Cred -WhatIf:$false -Confirm:$false; $fReturn = $true; } # if } # try catch { # ... } # catch finally { # ... } # finally return $OutputParameter;
Here is some more guidance that might help
Blog post "Using CredSSP with the vCO PowerShell Plugin"