Connect-VIServer not connecting to vCSA 5.5 U1 using windows integrated authentication...
Summary:
Connect-VIserver MyvCSAServer was not connecting using my service account's (for scheduled tasks) windows account. It would always prompt for credentials. Fairly odd since it has permissions and is able to connect to several other vCenters w/o inputting credentials.
By the way, this is very convenient since I don't have to insert passwords anywhere in clear text or come up w/ some crazy solution to encrypt the password.
Solution/Workaround:
Simply log into the web client using the service account once. Once authenticated, powerCLI should not have prompt for credentials.
[This applied when the VCSA's default identity source is set to Active Directory (Windows Integrated Authentication) and is set as the default domain. Active Directory as a LDAP server option will not work.]
Hypothesis:
I'm guessing this is some kind of weird SSO thing, where the account needs to get locally cached prior to allowing Windows integrated authentication. It also makes me wonder if my service account were enabled for impersonation whether I would have had to manually authenticate first.
Additional Info:
Alan Renouf posted about this awhile back, but didn't come up in my google searches for some reason.
http://blogs.vmware.com/PowerCLI/2013/03/back-to-basics-connecting-to-vcenter-or-a-vsphere-host.html
Connect-VIserver MyvCSAServer was not connecting using my service account's (for scheduled tasks) windows account. It would always prompt for credentials. Fairly odd since it has permissions and is able to connect to several other vCenters w/o inputting credentials.
By the way, this is very convenient since I don't have to insert passwords anywhere in clear text or come up w/ some crazy solution to encrypt the password.
Solution/Workaround:
Simply log into the web client using the service account once. Once authenticated, powerCLI should not have prompt for credentials.
[This applied when the VCSA's default identity source is set to Active Directory (Windows Integrated Authentication) and is set as the default domain. Active Directory as a LDAP server option will not work.]
Hypothesis:
I'm guessing this is some kind of weird SSO thing, where the account needs to get locally cached prior to allowing Windows integrated authentication. It also makes me wonder if my service account were enabled for impersonation whether I would have had to manually authenticate first.
Additional Info:
Alan Renouf posted about this awhile back, but didn't come up in my google searches for some reason.
http://blogs.vmware.com/PowerCLI/2013/03/back-to-basics-connecting-to-vcenter-or-a-vsphere-host.html
Comments