I uninstalled my old PowerCLI 6.5, rebooted then installed 11.1 as described in below link by running powershell "Run as administrator"...
PowerShell Gallery | VMware.PowerCLI 11.1.0.11289667
Now every time I do a Connect-VIServer I get prompted for credentials aka no passthrough authentication.....
NOTE: I do not have any cached credentials.
Here are the my versions of powershell and powercli....
PS C:\Windows\system32> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.1944
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.1944
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\Windows\system32> get-module -name VMware*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 6.7.0.1... VMware.Vim
Script 11.0.0.... VMware.VimAutomation.Cis.Core {Connect-CisServer, Disconnect-CisServer, Get-CisService}
Script 11.0.0.... VMware.VimAutomation.Common
Script 11.0.0.... VMware.VimAutomation.Core {Add-PassthroughDevice, Add-VirtualSwitchPhysicalNetworkAdapter, Add-VMHost, Add-VMHostNtpServer...}
Script 11.0.0.... VMware.VimAutomation.Sdk {Get-ErrorReport, Get-InstallPath, Get-PSVersion}
Anyone know the fix?
Did you configure PowerCLI to ignore invalid certificates?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You can create a CredentialStoreItem with New-VICredentialStoreItem
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Stored creds are not allowed. We operate under what is called "Privileged Account Management" where we do not know what our elevated user password is AND the password rolls/changes every 24hrs.
Sorry, I probably should have mentioned that in the OP.
Are the SSO accounts you use to connect to the vSphere server also under this regime?
Those would be the ones that you store as a CredentialStoreItem
In fact what do you enter to connect?
Your AD account?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
"Are the SSO accounts you use to connect to the vSphere server also under this regime?"
Yes and those are the only creds we can use.
"In fact what do you enter to connect?"
Nothing........lol
Seriously, no creds used to log in for our rlevated account..
Here's how it works.
We have our regular account and our "Admin elevated" account is tied to it.
We have an RDP portal "Devolutions" or a web interface using 2 factor auth and we authenticate to it with regular user accounts. Once authenticated we can RDP to our "Jump server" that has all our tools installed. The portal automatically opens our RDP session using our elevated creds. We do not use type in username or password to the RDP session. It uses our elevated creds of which we do not know the password.
Now once logged into our jump server everything in there uses our elevated accounts and passthrough auth works for most everything that is designed to use passthrough authentication.
PowerCLI 6.5 worked fine before upgrading. The vCenter server and the platform server authenticated perfectly fine before upgrading.
Confusing........I know. 😛
Can you add -Verbose on he Connect-VIServer?
Anything about SSPI in the verbose messages?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Here's the output....
Below are the results of hitting cancel at the prompt. NOTE I do not have a password for it.
PS C:\Windows\system32> Connect-VIServer <MyvCenterServer> -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.
VERBOSE: Connect using SSPI was unsuccessful
Connect-VIServer : 2/15/2019 10:05:12 AM Connect-VIServer Could not determine user name and/or password for server<MyvCenterServer>
At line:1 char:1
+ Connect-VIServer <MyvCenterServer> -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException
+ FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
Below are the results of typing in a random set of credentials with the expectation it will fail....
PS C:\Windows\system32> Connect-VIServer <MyvCenterServer> -Verbose
VERBOSE: Attempting to connect using SSPI
VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.
VERBOSE: Connect using SSPI was unsuccessful
VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.
Connect-VIServer : 2/15/2019 10:07:04 AM Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to
connect once or to add a permanent exception for this server.
Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.
At line:1 char:1
+ Connect-VIServer <MyvCenterServer> -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
PS C:\Windows\system32>
Did you configure PowerCLI to ignore invalid certificates?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
No. Should I?
I did it anyway just now and it works!
Is that a permanent setting? Or will I need to run that on every execution?
Thanks
Normally, PowerCLI saves that in a XML file in your profile.
Plus you can do this for multiple scopes: AllUsers, User and Session.
See the help page for Set-PowerCLIConfiguration to find an explanation of the different scopes.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference