Stored creds are not allowed. We operate under what is called "Privileged Account Management" where we do not know what our elevated user password is AND the password rolls/changes every 24hrs.

Sorry, I probably should have mentioned that in the OP.

Are the SSO accounts you use to connect to the vSphere server also under this regime?
Those would be the ones that you store as a CredentialStoreItem

In fact what do you enter to connect?
Your AD account?

"Are the SSO accounts you use to connect to the vSphere server also under this regime?"

Yes and those are the only creds we can use.

"In fact what do you enter to connect?"

Nothing........lol

Seriously, no creds used to log in for our rlevated account..

Here's how it works.

We have our regular account and our "Admin elevated" account is tied to it.

We have an RDP portal "Devolutions" or a web interface using 2 factor auth and we authenticate to it with regular user accounts. Once authenticated we can RDP to our "Jump server" that has all our tools installed. The portal automatically opens our RDP session using our elevated creds. We do not use type in username or password to the RDP session. It uses our elevated creds of which we do not know the password.

Now once logged into our jump server everything in there uses our elevated accounts and passthrough auth works for most everything that is designed to use passthrough authentication.

PowerCLI 6.5 worked fine before upgrading. The vCenter server and the platform server authenticated perfectly fine before upgrading.

Confusing........I know. 😛

Can you add -Verbose on he Connect-VIServer?

Anything about SSPI in the verbose messages?

Here's the output....

Below are the results of hitting cancel at the prompt. NOTE I do not have a password for it.

PS C:\Windows\system32> Connect-VIServer <MyvCenterServer> -Verbose

VERBOSE: Attempting to connect using SSPI

VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.

VERBOSE: Connect using SSPI was unsuccessful

Connect-VIServer : 2/15/2019 10:05:12 AM    Connect-VIServer        Could not determine user name and/or password for server<MyvCenterServer>   

At line:1 char:1

+ Connect-VIServer <MyvCenterServer> -Verbose

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException

    + FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

Below are the results of typing in a random set of credentials with the expectation it will fail....

PS C:\Windows\system32> Connect-VIServer <MyvCenterServer> -Verbose

VERBOSE: Attempting to connect using SSPI

VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.

VERBOSE: Connect using SSPI was unsuccessful

VERBOSE: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.

Connect-VIServer : 2/15/2019 10:07:04 AM    Connect-VIServer        Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to

connect once or to add a permanent exception for this server.

Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority '<MyvCenterServer>'.   

At line:1 char:1

+ Connect-VIServer <MyvCenterServer> -Verbose

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException

    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

PS C:\Windows\system32>

No. Should I?

I did it anyway just now and it works!

Is that a permanent setting? Or will I need to run that on every execution?

Thanks

Normally, PowerCLI saves that in a XML file in your profile.

Plus you can do this for multiple scopes: AllUsers, User and Session.

See the help page for Set-PowerCLIConfiguration to find an explanation of the different scopes.