I have a script that uses integrated security, as in the user account that creates the pssession. It then connects via powercli to a list of vCenters. Is there a way for connect-viserver command to fail, if user account does not have access and not prompt for credentials?
Or is there a way of validating the user account before connecting? some like "test-viaccess"?
I would prefer that the script throw an error, that I can manage, rather than hang 🙂
many thanks,
Carl
From similar questions, around the Get-Credential cmdlet, it looks as if you start your PowerShell session with the parameter -NonInteractive you don't get a prompt but an exception.
Since it is not always possible to start a new PS session with that NonIntercative parameter, you could run a short snippet and check the returned string.
The snippet uses a Try-Catch construct, with a specific case for the authentication exception.
The following seems to work for me.
When the user can not connect due to issues in WIA, the snippet returns "User can not connect via WIA"
$code = @'
Try {
Connect-VIServer -Server $vcsaName -ErrorAction Stop | Out-Null
Write-Host "All is well"
}
Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
Write-Host "User can not connect via WIA"
}
Catch {
Write-Host "Some other error"
}
'@
$vcsaName = '<Your VCSA FQDN>'
powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Add -ErrorAction Stop to your Connect-VIServer cmdlet.
Then place it in a Try-Catch construct, that way you will "catch" the terminating exception, and the script can stop (exit) or continue (comment out the exit).
try {
Connect-VIServer -Server $vcsa -Credential $cred -ErrorAction Stop
}
catch {
Write-Error "The connection failed"
Exit
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Many thanks LucD and for the quick reply.
I think the problem is, it doesn't fail, it hangs prompting for credentials 😞
try {
Connect-VIServer -Server $vcsa -ErrorAction Stop
} catch {
$errMessages += "Failed to connect to $vcsa"
continue
}
I am running the above as I can't ask for username/password to create $cred, I need to use the integrated security of the pssession.
Carl
That could be a TLS or certificate issue.
What do you see when you add a Verbose switch to the Connect-VIServer?
Does it mention not being able to establish a secure channel?
Try setting InvalidCertificateAction to Ignore with the Set-PowerCLICOnfiguration cmdlet.
Or better yet, make sure the certificate is installed and added to trusted root certificates.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Again, thank for getting back 🙂
I have the script creating a transcript and -verbose doesn't show anything, as the command/script unfortunately hangs prompting for credentials 😞
Certificate are valid and ignore certificates is set. I can connect when using my credentials when creating the pssession but it hangs when using the "script" account.
It's how do I stop connect-viserver prompting for credentials, if the user account doesn't have the integrated/passthru rights to connect.
Carl
So are you in fact asking how to detect if the current user falls under Integrated WIndows Authentication (IWA)?
Before trying to connect to the vCenter.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes 🙂
As you say, can I try before connecting or have connect-viserver fail and not prompt for creds 🙂
Carl
From similar questions, around the Get-Credential cmdlet, it looks as if you start your PowerShell session with the parameter -NonInteractive you don't get a prompt but an exception.
Since it is not always possible to start a new PS session with that NonIntercative parameter, you could run a short snippet and check the returned string.
The snippet uses a Try-Catch construct, with a specific case for the authentication exception.
The following seems to work for me.
When the user can not connect due to issues in WIA, the snippet returns "User can not connect via WIA"
$code = @'
Try {
Connect-VIServer -Server $vcsaName -ErrorAction Stop | Out-Null
Write-Host "All is well"
}
Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
Write-Host "User can not connect via WIA"
}
Catch {
Write-Host "Some other error"
}
'@
$vcsaName = '<Your VCSA FQDN>'
powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I changed it ever so slightly, to make it easier to run within my script :
$code = @'
Try {
Connect-VIServer -Server $vcsaName -ErrorAction Stop | out-null
exit 0
}
Catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException] {
exit 1
}
Catch {
exit 2
}
'@
$vcsaName = '<Your VCSA FQDN>'
powershell -noninteractive -command "& {$($ExecutionContext.InvokeCommand.ExpandString($code))}"
if($LASTEXITCODE -ne 0) {
# Failed to connect
} else {
# All good
# do things...
}