VMware PowerCli and AD LDAP
353 views
Skip to first unread message
Fut Dey
Sep 11, 2023, 3:13:54 PM9/11/23
to ntsys...@googlegroups.com
Hi,
Is there a way to run PowerCli/Powershell scripts against VCSA 7.x that are configured to use AD LDAPs identity sources?
Scripts were running fine with IWA but since it is deprecated in VCSA 7.x, is the way to run the scripts from a domain joined Windows host?
Interactive logon via web portal to vCenter works fine but running powershell scripts against vCenter is broken, not returning anything.
Thanks in advance,
Fut
Charles F Sullivan
Sep 11, 2023, 3:56:03 PM9/11/23
to ntsys...@googlegroups.com
It sounds like you are describing something we do very regularly. We switched from IWA to LDAP over AD (I think that's vmWare's term for it) months ago. We run a script using PowerCLI after provisioning new VMs that does things like check that it's in the proper cluster, expand and add disks, check Tools versions, etc.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/IA1PR19MB6395699A9CC0ED279AF27B6D88F2A%40IA1PR19MB6395.namprd19.prod.outlook.com.
Charlie Sullivan
Principal Windows Systems Administrator
Charles F Sullivan
Sep 11, 2023, 4:00:09 PM9/11/23
to ntsys...@googlegroups.com
I should add that I am running the script from a domain joined Windows workstation, the same domain that vCenter is authenticating against. vCenter is at 7.0.3 build 20990077.
Fut Dey
Sep 11, 2023, 4:31:39 PM9/11/23
to ntsys...@googlegroups.com
Hi Charles,
We're on 7.03 -19234570.
How do you managed to run the powercli scripts?
The powershell terminal seems to be passing the credential to vCenter as example.com\username and vCenter is expecting user...@example.com.
Even with the Web portal, we have to use user...@example.com to logon and it wouldn't take example.com\username
Fut
From: 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Monday, September 11, 2023 12:59 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] VMware PowerCli and AD LDAP
Sent: Monday, September 11, 2023 12:59 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] VMware PowerCli and AD LDAP
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkePHfHWeO-GuFU-khwp7GeDuzEy%2B4Fv6kWqQY4WMeS_w%40mail.gmail.com.
Charles F Sullivan
Sep 11, 2023, 5:15:41 PM9/11/23
to ntsys...@googlegroups.com
- First of all, to log in to vCenter I have always used username@domain. blah format, when needed, *but* the vCenter I usually run the script against is set to require only the user name, so I'm in the habit of doing that.
- From the script: Connect-VIServer -Server srv1.blah.com -Protocol https
- A GUI logon prompt pops up, I normally just type my user name and get in. This time I typed <domain>\<username> and it failed. I tried twice this way to make sure, then tried username only and it worked. I also tried user...@domain.blah and of course that worked as well.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/IA1PR19MB6395559FF3EEE4CA7AF1318988F2A%40IA1PR19MB6395.namprd19.prod.outlook.com.
Michael Leone
Sep 12, 2023, 10:14:29 AM9/12/23
to ntsys...@googlegroups.com
We use AD LDAP for our 2 vCenters with no issues. As fo scripts, I
have the credentials saved in an encrypted XML file. So my scheduled
scripts use that to log in.
I've snipped out a bit here, like ensuring that the credential file
exists first, but this is essentially what we do. Been doing it this
way for years ...
https://vdc-download.vmware.com/vmwb-repository/dcr-public/73d6de02-05fd-47cb-8f73-99d1b33aea17/850c6b63-eb82-4d9c-bfcf-79279b5e5637/doc/New-VICredentialStoreItem.html
https://virtuallyjason.blogspot.com/2017/01/creating-vicredentialstore-items.html
<#
Updates:
2022-10-14 Changed credential file to be used, pointing it at the
network share. --MJL
2023-07-24 Removed transcript. -- MJL
Designed to be run from host: <hostname> as user: <Username>
Note that the host names must be capital HOSTNAME, lowercase rest of
FQDN, as that's how they are entered
in the XML file that holds the vCenter credentials
Connects to each host in a vCenter, and saves the configuration
#>
Import-Module VMware.PowerCLI
Set-PowerCLIConfiguration -DefaultVIServerMode Multiple
-WebOperationTimeoutSeconds -1 -Scope User -InvalidCertificateAction
ignore -Confirm: $false -ParticipateInCEIP $true | Out-Null
$vCenterCredFile = "vCenter-Credentials.XML"
$All_vCenterds = ("<FQDN1>", "<FQDN2")
$envComputerName = Get-Item env:ComputerName
[string] $ComputerName = $envComputerName.Value
ForEach ($vCenter in $All_vCenters)
{
$vCenterCreds = Get-VICredentialStoreItem -Host $vCenter -File $vCenterCredFile
Connect-VIServer $vCenter -User $vCenterCreds.User -Password
$vCenterCreds.Password
}
When you save the credentials in the XML file, they are for *just*
that specific user and *just* that specific host. So if you try and
use those creds from a different host, it will fail to connect.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3DgXgi8qCZgsu0gJrqko%2Bg%3DHdApL%2BwM2DU_fxnRO5pPOA%40mail.gmail.com.
have the credentials saved in an encrypted XML file. So my scheduled
scripts use that to log in.
I've snipped out a bit here, like ensuring that the credential file
exists first, but this is essentially what we do. Been doing it this
way for years ...
https://vdc-download.vmware.com/vmwb-repository/dcr-public/73d6de02-05fd-47cb-8f73-99d1b33aea17/850c6b63-eb82-4d9c-bfcf-79279b5e5637/doc/New-VICredentialStoreItem.html
https://virtuallyjason.blogspot.com/2017/01/creating-vicredentialstore-items.html
<#
Updates:
2022-10-14 Changed credential file to be used, pointing it at the
network share. --MJL
2023-07-24 Removed transcript. -- MJL
Designed to be run from host: <hostname> as user: <Username>
Note that the host names must be capital HOSTNAME, lowercase rest of
FQDN, as that's how they are entered
in the XML file that holds the vCenter credentials
Connects to each host in a vCenter, and saves the configuration
#>
Import-Module VMware.PowerCLI
Set-PowerCLIConfiguration -DefaultVIServerMode Multiple
-WebOperationTimeoutSeconds -1 -Scope User -InvalidCertificateAction
ignore -Confirm: $false -ParticipateInCEIP $true | Out-Null
$vCenterCredFile = "vCenter-Credentials.XML"
$All_vCenterds = ("<FQDN1>", "<FQDN2")
$envComputerName = Get-Item env:ComputerName
[string] $ComputerName = $envComputerName.Value
ForEach ($vCenter in $All_vCenters)
{
$vCenterCreds = Get-VICredentialStoreItem -Host $vCenter -File $vCenterCredFile
Connect-VIServer $vCenter -User $vCenterCreds.User -Password
$vCenterCreds.Password
}
When you save the credentials in the XML file, they are for *just*
that specific user and *just* that specific host. So if you try and
use those creds from a different host, it will fail to connect.
Fut Dey
Oct 25, 2023, 3:35:34 PM10/25/23
to ntsys...@googlegroups.com
Charles/Michael,
Thanks for your replies and sharing a snip of your script.
I forgot to reply to this thread in late Sept when we found the issue.
Turns out to be some bug in our hardware firewall fronting our AD DCs.
The initial issue revolved around running powercli/Powershell scripts against VCSA 7.x using AD LDAPs, then random RDP issues, then random systems' secure channels were broken, share issues etc.
It was a wild couple of weeks.
Regards,
FutFrom: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Michael Leone <ooze...@gmail.com>
Sent: Tuesday, September 12, 2023 7:15 AM
Sent: Tuesday, September 12, 2023 7:15 AM
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CA%2BZrOWxam7K8hbrPFa_7qf2kCbJyOj%3DtC6oGWvt21zWU36FrWQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages