VMware powercli connection error to single esxi homelab - powershell

Environment
Home VMware lab consisting of a single VMware ESXi host.
Client version: 1.33.4
Client build number: 14093553
ESXi version: 6.7.0
ESXi build number: 14320388
PC running the script
Windows 10
Powershell 5.1
VMware PowerCLI 12.0.0 build 15947286
user connecting has the vmware administrator role attached to it.
Code
clear-host
$vc = 'my-hhost-ip'
$user='myuser'
$pw='mypassword'
Set-PowerCLIConfiguration -InvalidCertificateAction:ignore
Connect-VIServer -server $vc -Protocol https -user $user -password $pw
Error
Connect-VIServer : Specified method is not supported.
At line:6 char:1
+ Connect-VIServer -server $vc -Protocol https -user $user -password $p ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Connect-VIServer], PSNotSupportedException
+ FullyQualifiedErrorId : NotSupported,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
PSMessageDetails :
Exception : System.Management.Automation.PSNotSupportedException: Specified method is not supported.
TargetObject :
CategoryInfo : NotImplemented: (:) [Connect-VIServer], PSNotSupportedException
FullyQualifiedErrorId : NotSupported,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, <No file>: line 16
PipelineIterationInfo : {}
What I've tried
leaving of the credentials and having it ask, gives the same error
Deliberately getting the password wrong - gives an incorrect password message
Removing the administrator role from the user - gives a not authorised message
The output of the last two tests leads me to believe I am in fact authenticating ok, but that there is then some setting/service I've not set or enabled that allows it to connect after authenticating.
Any suggestions would be appreciated.

ESXi hosts assigned the free license don't grant access to consume the API services, which is what PowerCLI is doing under the covers.
The error message is confirming that you do not have the ability to access the API services.

Just to add a secondary answer in case anybody else stumbles upon it.
I thought at first that it was because I was connecting to my home eval edition.
However, I got the exact same issue when connecting to our corporate environment.
It turns out that my account on the machine was locked down to PowerShell constrained language mode. Running the commands on an account that did not have the mode set allowed them to run ok.

To add a further answer to this in case it helps anyone, in my case I just needed to run PowerShell as administrator.

Related

Rename-Computer is throwing "access is denied" error but I can't figure out to what

I am on a Windows 10 Enterprise machine that is hosting hyperv machines. We will call this "Win10Host".
One of the virtual machines is "Win10Base" which is a base install of Windows 10 Pro.
I am attempting to run the below from "Win10Host" to rename "Win10Base" and it is failing (errors below).
$secpasswd = ConvertTo-SecureString 'mypassword' -AsPlainText -Force
$localCreds = New-Object System.Management.Automation.PSCredential ('user', $secpasswd);
$computername = 'Win10Base';
$VMName = 'Win10BaseNew';
$VMIP = 'x.x.x.x'; //Redacted, I have used remote desktop to verify this ip is correct.
Rename-Computer -ComputerName $VMIP -LocalCredential $localCreds -NewName $VMName -Verbose;
Win10Base is a basic click through windows 10 pro install.
user is the initial user setup after install.
At first it was throwing:
Rename-Computer : Cannot establish the WMI connection to the computer 'Win10Base'
with the following error message: Access denied .
At line:9 char:1
+ Rename-Computer -ComputerName $computername -LocalCredential $localCr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Win10Base:String) [Rename-Computer], InvalidOperationException
+ FullyQualifiedErrorId : RenameComputerException,Microsoft.PowerShell.Commands.RenameComputerCommand
After giving permissions to Remote Desktop, configuring the firewall, giving permissions to "Windows Management Instrumentation" in dcomcnfg, and giving access through wmimgmt.msc to the CIMV2 namespace I have arrived at my current situation.
Currently the powershell throws:
Rename-Computer : Fail to rename computer 'Win10Base' to 'Win10BaseNew'
due to the following exception: Access is denied.
At line:9 char:1
+ Rename-Computer -ComputerName $computername -LocalCredential $localCr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Win10Base:String) [Rename-Computer], InvalidOperationException
+ FullyQualifiedErrorId : FailToRenameComputer,Microsoft.PowerShell.Commands.RenameComputerCommand
Run scenarios:
On Win10Base ISE - fails with the "access denied".
On Win10Base ISE run as admin - success.
On Win10Host ISE - fails with the "access denied"
On Win10Host ISE run as admin - fails with the "access denied"
As best I can tell user on Win10Base is an administrator. I even enabled "god mode" to see if I could change the user type to a high level and found it was in the administrators group.
Checking Windows Event logs (Application, Security, Setup, and system) I see nothing to correlate with the current access denied. Nothing is picked up in DbView as best I can tell.
So any suggestions on where to look next for WHAT access is denied would be greatly appreciated.
If the machine isn't on the domain your user domain needs to be specified in credentials - DOMAIN\user - where the domain is the local machine name.
Also enable WinRM in the remote machine using "winrm quickconfig" at command line

Get-ADDomain fails, UI works

Trying to join a Windows Server 2016 to a domain using PowerShell.
However, PowerShell fails on Get-ADDomain with :
Get-ADDomain -Identity customer.com.au -Credential $domainCred
Error :
Get-ADDomain : Unable to contact the server. This may be because this
server does not exist, it is currently down, or it does not have the
Active Directory Web Services running. At line:1 char:1
+ Get-ADDomain -Identity customer.com.au -Credential $domainCred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (customer.com.au:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain
Get-ADDomainController -Discover -Service ADWS -DomainName customer.com.au
Domain : customer.com.au
Forest : customer.com.au
HostName : {CUSTOMERSVRDC06.customer.com.au}
IPv4Address : 10.20.104.86
IPv6Address :
Name : CUSTOMERSVRDC06
Site : customer-main-site
So, AD Web Services are running on a server in that domain. I can resolve the domain.
And I can even promote this server manually via Server Manager just fine, with the same credentials.
Anybody got an idea what’s wrong with AD PowerShell?
Cheers
David
Turns out there was a port still missing on the network side.
They opened up the firewall for now and it works. I suspect a random high port.
Sounds like you cannot reach the ADWS. That is common with corporate networks if firewall or policies are not designed to allow it. Regardless, you can achieve this with below options too.
Use the -Server param on Get-AD~ Cmdlets and specify a DC to query. You said you know at least 1 DC with ADWS on and reachable.
Use Invoke-Command or other PSRemoting features to remote into a DC and run those commands as if you were logged on locally on the DC. Doesn't need ADWS to be available on the Network.
You can also use PSexec with Invoke-Expression to run your code on the target machine.

What ports/services needs to be opened for PowerShell Active Directory to function?

So far, I've tried opening port 9389 and ADWS is running on the remote server... and no luck...
The command:
$credential = Get-Credential # Feed it the Foreign Dommain\Username + Password
Get-ADUser 'someUser' -Server some.remote.server.com -Credential $credential
Here's the error:
Get-ADUser : Unable to contact the server. This may be because this server does
not exist, it is currently dow does not have the Active Directory Web Services
running.
At line:1 char:1
+ Get-ADUser 'someUser' -Server some.remote.server.com -Credential $credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (e313681:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
I can ping this machine and remote to it, but I can't query it with PowerShell.
I've checked that ADWS is running on the domain controller... out of ideas here - did I miss a port or something?
Really hope you got this problem solved after over 2.5 years. Got here through Google as I was looking for my own problem. Just dropping the information here for others that might hit this page.
Powershell is using ADWS and the port being used is 9389.
In the end for me it was the Windows Firewall blocking this port. For anyone in the same situation, check %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log for drops to the IP of the AD controller you are trying to connect to.

Why does Invoke-Command { net localgroup } fail?

I can successfully use NET USE and NET USER commands on the remote machine. Why not NET LOCALGROUP?
PS C:\src\powershell> Invoke-Command -ComputerName OTHERMACHINE -ScriptBlock { & NET LOCALGROUP }
System error 1312 has occurred.
+ CategoryInfo : NotSpecified: (System error 1312 has occurred.:String) [], Rem
oteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : OTHERMACHINE
A specified logon session does not exist. It may already have been terminated.
Passing the /USER parameter produces a different error.
PS C:\src\powershell> Invoke-Command -ComputerName OTHERMACHINE -ScriptBlock { & net localgroup /USER:THEDOM\theuser }
The option /USER:THEDOM\theuser is unknown.
+ CategoryInfo : NotSpecified: (The option /USE...son is unknown.:String) [], R
emoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : OTHERMACHINE
The syntax of this command is:
NET LOCALGROUP
[groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]
More help is available by typing NET HELPMSG 3506.
I believe this is the double-hop problem. You get the same error if you try to execute net localgroup administrators in a session created with Enter-PSSession: "System error 1312 has occurred." and "A specified logon session does not exist. It may already have been terminated."
net.exe is trying to reauthenticate, but it can't reuse the credentials of the session. You may have success using CredSSP, which requires some setup and, IIRC, may have security implications. You'll have to enable CredSSP on the remote system and local system, and then delegate correctly. Even then I'm seeing conflicting reports about this working. There may even be security policies preventing it.
Personally, I just wouldn't use net.exe at all. That's too many hoops to jump through for something so basic. You can retrieve the members of a local group remotely via the ADSI provider, which is probably much easier and much more likely to work.

PowerShell Double Hop Issue

I’m trying to run a PowerShell script on SYSTEM1, which executes robocopy on SYSTEM2, copying files to SYSTEM3,4,5,etc.
SYSTEM1 and SYSTEM2 are on the same domain, but SYSTEM2 is not behind a firewall (hence the need to run robocopy from SYSTEM2 and not SYSTEM1).
SYSTEM3,4,5 are on different domains than SYSTEM2, as well as different domains than each other.
I set the script up like this (it uses the net use command to prompt the user for credentials for the different domains):
Foreach($server in $servers) {
$command = {
param($cred, $server);
$error.clear();
# Stored credentials in local variables
$user = $cred.GetNetworkCredential().username
$pass = $cred.GetNetworkCredential().password
#establish connection from SYSTEM2-> $server
net use \\$server\c$\Deployments /delete
net use \\$server\c$\Deployments /USER:$user $pass
# Check to see if C:\Deployments exists on server, and if not create it.
if ((Test-Path \\$server\c$\Deployments) -eq $FALSE) {
$c = {
New-Item \\$server\c$\Deployments -type directory
}
$ws = Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock $c
}
# Copy over the deployment packages
$dest = "\\$server\Deployments\$DeploymentDate\$CurrentDirectoryName"
robocopy $CurrentDirectoryPath $dest /W:20 /R:15 /e /XF CopyPackage.ps1
# Delete connection from SYSTEM2 -> $server
net use \\$server\c$\Deployments /delete
However, the net use command returns an error after the credentials are entered:
The network connection could not be found.
+ CategoryInfo : NotSpecified: (The network con...d not be found.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
More help is available by typing NET HELPMSG 2250.
System error 55 has occurred.
+ CategoryInfo : NotSpecified: (System error 55 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
The specified network resource or device is no longer available.
[SYSTEM3] Connecting to remote server failed with the following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: There are currently no logon servers available to service
the logon request.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
+ PSComputerName : SYSTEM2
The network connection could not be found.
+ CategoryInfo : NotSpecified: (The network con...d not be found.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : SYSTEM2
More help is available by typing NET HELPMSG 2250.
I’ve read this could be a “double-hop” issue (as detailed here), but I’m not sure how to edit the script to use CredSSP instead of Kerberos (or if this is even the problem).
Any ideas?
Posting this solution in case someone is still having an issue with a simple resolution to DoubleHop without using CredSSP.
Try this out:
https://www.powershellgallery.com/packages/Invoke-PSSession
It Invokes a PSSession, then Registers a PSSessionConfiguration with the Credentials that you provided. Basically providing the credentials for that DoubleHop
Then use Invoke-Command with that new PSSession. It should have the required privileges to do what you need.