{"id":598,"date":"2018-10-12T10:54:14","date_gmt":"2018-10-12T08:54:14","guid":{"rendered":"https:\/\/virtualguru.cz\/?p=598"},"modified":"2018-10-12T19:36:52","modified_gmt":"2018-10-12T17:36:52","slug":"problem-s-windows-session-authentication-pres-powercli","status":"publish","type":"post","link":"https:\/\/virtualguru.cz\/en\/2018\/10\/12\/problem-s-windows-session-authentication-pres-powercli\/","title":{"rendered":"Probl\u00e9m s Windows Session Authentication p\u0159es PowerCLI"},"content":{"rendered":"<p>Ned\u00e1vno jsem\u00a0\u0159e\u0161il probl\u00e9m, kdy\u00a0jsem u jednoho z\u00e1kazn\u00edka psal sadu script\u016f. Bylo t\u0159eba, aby z d\u016fvodu jednoduchosti spou\u0161t\u011bn\u00ed nebyl \u017e\u00e1d\u00e1n o p\u0159ihla\u0161ovac\u00ed \u00fadaje.<\/p>\n<p>Pro spoustu z V\u00e1s jednoduch\u00e9 zad\u00e1n\u00ed, kter\u00e9 asi nen\u00ed pot\u0159eba rozv\u00e1d\u011bt. Ale dostal jsem se do situace, kdy p\u0159ihl\u00e1\u0161en\u00ed p\u0159es Webov\u00e9ho klienta fungovalo, ale p\u0159es PowerCLI nikoli.<\/p>\n<p>Poj\u010fme k popisu situace, kter\u00e1 k tomu vedla (z jasn\u00fdch security d\u016fvod\u016f nebudu ps\u00e1t n\u00e1zvy skute\u010dn\u00fdch dom\u00e9n):<\/p>\n<p>vCenter server appliance byla p\u0159ipojena do AD dom\u00e9ny &#8222;vclass.local&#8220;. DNS n\u00e1zev vCenter dom\u00e9ny byl ale trochu jin\u00fd &#8211; &#8222;lab.vclass.local&#8220;.<\/p>\n<p>P\u0159i p\u0159ipojov\u00e1n\u00ed p\u0159es WebClienta po doinstalov\u00e1n\u00ed Enhanced Authentication Plugin v\u0161e fungovalo. Ov\u0161em p\u0159i spu\u0161t\u011bn\u00ed PowerCLI scriptu a p\u0159ipojov\u00e1n\u00ed p\u0159es<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Connect-VIserver vc.lab.vclass.local<\/pre>\n<p>vysko\u010dilo okno pro zad\u00e1n\u00ed credentials.<\/p>\n<p>Pro\u010d by m\u011blo vysko\u010dit okno, kdy\u017e jsem na Windows stroji p\u0159ihl\u00e1\u0161en dom\u00e9nov\u00fdm \u00fa\u010dtem, kter\u00fd m\u00e1 pot\u0159ebn\u00e1 opr\u00e1vn\u011bn\u00ed? Ve WebClientu to p\u0159ece funguje.<\/p>\n<p>Nejprve pro objasn\u011bn\u00ed &#8222;z\u00e1hady&#8220; je t\u0159eba zapnout p\u0159i p\u0159ipojov\u00e1n\u00ed detailn\u011bj\u0161\u00ed logov\u00e1n\u00ed<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Connect-VIserver vc.lab.vclass.local -Verbose<\/pre>\n<p>V\u00fdstup je pak n\u00e1sleduj\u00edc\u00ed:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">VERBOSE: Attempting to connect using SSPI\r\nVERBOSE: Reversely resolved 'vc.lab.vclass.local' to 'vc.lab.vclass.local'\r\nVERBOSE: SSPI Kerberos: Acquired credentials for user 'VCLASS\\Administrator'\r\nVERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host\/vc.lab.vclass.local'. Error code: 0x80090303\r\nVERBOSE: Connect using SSPI was unsuccessful\r\nConnect-VIServer : 12.10.2018 9:00:10   Connect-VIServer                Could not determine user name and\/or password fo\r\nr server vc.lab.vclass.local\r\nAt line:1 char:1\r\n+ Connect-VIServer vc.lab.vclass.local -Verbose\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], ViServerConnectionException\r\n    + FullyQualifiedErrorId : ViCore_Login_CredentialNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVISe\r\n   rver<\/pre>\n<p>D\u016fle\u017eit\u00fd je p\u0159edposledn\u00ed \u0159\u00e1dek za\u010d\u00ednaj\u00edc\u00ed VERBOSE<\/p>\n<p><strong>VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target &#8218;<span style=\"color: #ff0000;\">host\/vc.lab.vclass.local&#8216;<\/span>. Error code: 0x80090303<\/strong><\/p>\n<p>Je to zp\u016fsobeno t\u00edm, \u017ee objekt &#8222;vc.vclass.local&#8220; v AD &#8211; tak je vCenter p\u0159ipojen a pojmenov\u00e1n v AD &#8211; nem\u00e1 odpov\u00eddaj\u00edc\u00ed SPN z\u00e1znam, kter\u00fd je zv\u00fdrazn\u011bn na \u0159\u00e1dku v\u00fd\u0161e.<\/p>\n<p>Aby jsme toto napravili, tak sta\u010d\u00ed velmi jednodu\u0161e na po\u010d\u00edta\u010di, kter\u00fd je p\u0159ipojen do dom\u00e9ny a m\u00e1 AD tools doinstalovan\u00e9, spustit jeden p\u0159\u00edkaz.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">C:\\&gt; setspn -A \"HOST\/vc.lab.vclass.local\" vc\r\nChecking domain DC=vclass,DC=local\r\n\r\nRegistering ServicePrincipalNames for CN=VC,CN=Computers,DC=vclass,DC=local\r\nHOST\/vc.lab.vclass.local\r\nUpdated object<\/pre>\n<p>Je pot\u0159eba samoz\u0159ejm\u011b spou\u0161t\u011bt pod u\u017eivatelem, kter\u00fd m\u00e1 odpov\u00eddaj\u00edc\u00ed opr\u00e1vn\u011bn\u00ed v AD.<\/p>\n<p>Kontrola:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">C:\\&gt;setspn -l VCLASS\\vc\r\nRegistered ServicePrincipalNames for CN=VC,CN=Computers,DC=vclass,DC=local:\r\nHOST\/vc.lab.vclass.local\r\nHOST\/vc\r\nHOST\/vc.vclass.local<\/pre>\n<p>Pro jistotu je pot\u0159eba vCenter appliance restartovat.<\/p>\n<p>Pak u\u017e m\u016f\u017eete ov\u011b\u0159it, \u017ee se poda\u0159\u00ed p\u0159ihl\u00e1sit na vCenter bez nutnosti zad\u00e1vat credentials<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">PS C:\\&gt; Connect-VIServer vc.lab.vclass.local -Verbose\r\n\r\nVERBOSE: Attempting to connect using SSPI\r\nVERBOSE: Reversely resolved 'vc.lab.vclass.local' to 'vc.lab.vclass.local'\r\nVERBOSE: SSPI Kerberos: Acquired credentials for user 'VCLASS\\Administrator'\r\nVERBOSE: SSPI Kerberos: Successful call to InitializeSecurityContext for target 'host\/vc.lab.vclass.local'\r\nVERBOSE: Connected successfully using SSPI\r\n\r\nName                           Port  User\r\n----                           ----  ----\r\nvc.lab.vclass.local            443   VCLASS\\Administrator\r\n<\/pre>\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>Ned\u00e1vno jsem\u00a0\u0159e\u0161il probl\u00e9m, kdy\u00a0jsem u jednoho z\u00e1kazn\u00edka psal sadu script\u016f. Bylo t\u0159eba, aby z d\u016fvodu jednoduchosti spou\u0161t\u011bn\u00ed nebyl \u017e\u00e1d\u00e1n o p\u0159ihla\u0161ovac\u00ed \u00fadaje. Pro spoustu z&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/virtualguru.cz\/en\/2018\/10\/12\/problem-s-windows-session-authentication-pres-powercli\/\">Continue Reading<span class=\"screen-reader-text\">Probl\u00e9m s Windows Session Authentication p\u0159es PowerCLI<\/span> <i class=\"fas fa-angle-right\"><\/i><\/a><\/div>","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"iawp_total_views":16,"footnotes":""},"categories":[3],"tags":[12,19,9],"class_list":["post-598","post","type-post","status-publish","format-standard","hentry","category-vsphere","tag-powercli","tag-vcsa","tag-vsphere","entry"],"_links":{"self":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/comments?post=598"}],"version-history":[{"count":3,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/598\/revisions"}],"predecessor-version":[{"id":601,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/598\/revisions\/601"}],"wp:attachment":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/media?parent=598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/categories?post=598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/tags?post=598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}