Categories
Virtualization Vmware

vCenter 6.5 – Unable to Authenticate

Happy Monday everyone! I hope you all had a great weekend and Holiday. Guess what happened to me this morning? I came into the office (virtually of course) and discovered that our VDI vCenter environment was inaccessible. Now this is an older environment on its way out the door so I am not too concerned with it. However it would make our lives easier to have vCenter working for the decommissioning process.

When I tried to log into this VCSA Server I would receive the following message in a red banner across the top of the screen:

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: ‘Trusted root certificates’ value should not be empty.

When I said this environment is old, it was upgraded from 5.5 and is now comprised of a VCSA appliance and an external PSC. Although the database has been migrated to a vPostgress DB instead of the SQL database that is started on, we have still noticed issues as time has gone one.

We tried to log in both with AD credentials and the local administrator user and both failed. Which was very concerning as we did have an issue with a DNS a few months back which knocked out AD authentication and all of our hosts in a different environment. Resolving that issue required a ticket to be opened with VMware.

I logged into the VAMI on both the PSC and the vCenter server (AD Authentication on both) and I did not see any issues there. Everything looked health and good. Since this environment is going away we decided to see if a good old reboot would fix it since we could not remember when the last reboot on this system occurred.

After rebooting the VCSA appliance everything seemed okay. In fact the vCenter console logged me in automatically. We plan to look into this more, however with this environment being decommissioned in the next few days I don’t think we will find anything of value.

If I do find a root cause for this one I will make sure to post a update on this.

Categories
PowerCLI Virtualization Vmware

PowerCLI – How to backup VCSA 6.5

I have recently been working on an issue with a PowerCLI script that has been working for a few weeks that just stopped working. The script is modified version of the one Kyle Ruddy posted about here:
https://blogs.vmware.com/PowerCLI/2018/07/automate-file-based-backup-of-vcsa.html

The script also uses Credentials store to be able to run the script securely but other than that the script is pretty vanilla.

Now that you are up to speed with how it is supposed to work, my next post will cover the issue, and how to resolve it.

Categories
PowerCLI Virtualization Vmware

PowerCLI – Datastore Report

I recently was working in an environment where they are still running vSphere 6.0. While doing some storage expansions I discovered that the Flash Client and the C# Client were not reporting the same size on the Datastore. This can be very frustrating as you are not sure which one you can trust. So as a tie breaker I decided to turn to my good friend PowerCLI.

It turns out that the PowerCLI and the C# client were reporting the same thing. So I decided to create a PowerCLI Script to assist me in my work. You can find the script there on my Github:

https://github.com/kenbshinn/PowerCLI-Scripts/blob/master/VM_Datastore_Report.ps1

I hope you found this post helpful and will share it with your friends.

Categories
PowerCLI Virtualization Vmware

PowerCLI – Virtual Host Hardware Information

I have recently been working on a asset inventory issue where I was provided a list of serial numbers from our hardware vendor and I was asked to reconcile it with what we had. Well that is easier said than done in most cases.

I know that vCenter collects a bunch of hardware information and I wanted to see if there was a way to pull the Serial number that is on the System board and put that information into a .csv.

In comes the following command:

 Get-VMHost | Get-VMHostHardware -SkipAllSslCertificateChecks | Export-Csv C:tempVMHostHardware.csv

This command will pull all the hardware information that vCenter records and puts it to a .CSV.

I will do my best to update this post with an example of what the results will look like.

I hope you find this post helpful, if so please share with your friends.

Categories
PowerCLI Virtualization Vmware

PowerCLI – vSphere Role Privilege report

So I have been looking for ways to expand my knowledge with PowerCLI. This whole effort came about from going to VMWorld 2019 in San Francisco and seeing presentations by Kyle Ruddy and Luc Denkens. Let me tell you, they did some amazing things in their presentations. 

I had been working on a project where I needed to get list of all of the Non-Standard vCenter Roles along with the privileges assigned to those roles. I am still very new to this whole PowerCLI thing, but my google skills are top notch. I found a blog post on this blog http://kunaludapi.blogspot.com/
I ran the script to see how well it worked and it worked as advertised. I created a copy of the script on my Github which you can find here: https://github.com/kenbshinn/PowerCLI-Scripts/blob/master/vSphere_Role_Report.ps1
I hope you find this post helpful, and if you do please share it with your friends and colleagues.
Categories
Virtualization Vmware

How to unlock and reset SSO password in vSphere 6.x (2146224)

So I have a bit of a embarrassing confession to make. I forgot to record the Administrator password for my VCSA Appliance. Total disclosure, I was freaking out and I really thought I was going to have to start from scratch. I did some research I was surprised to find out that you can actually reset the Administrator account on a VCSA appliance as long as you have the root password for the appliance and you have access to the VCSA Console. Below are a list of the links to the KB Articles from VMware.

Resetting SSO Administrator Password
https://kb.vmware.com/s/article/2034608
Resetting SSO Administrator – VCSA 6.x

Below is the PUTTY session as an example.

[email protected]:~$ ssh [email protected]
ssh: Could not resolve hostname devvcsa01.xxx.xxxxx: Name or service not known
[email protected]:~$ ssh [email protected]
The authenticity of host ‘172.26.44.18 (172.26.44.18)’ can’t be established.
ECDSA key fingerprint is SHA256:7E4K1HVpg2ExWz+vEkkRdJ0M5jUYftb3HZw6OSDKFEICSOEPWWKYERe4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.26.44.18’ (ECDSA) to the list of known hosts.

VMware vCenter Server Appliance 6.5.0.21000

Type: vCenter Server with an embedded Platform Services Controller

Password:
Connected to service

    * List APIs: “help api list”
    * List Plugins: “help pi list”
    * Launch BASH: “shell”

Command> shell.set –enabled true
Command> shell
Shell access is granted to root
[email protected] [ ~ ]# /usr/lib/vmware-vmdir/bin/vdcadmintool

==================
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
6. Get vmdir state
7. Get vmdir log level and mask
==================

3
  Please enter account UPN : [email protected]
New password is –
/a+p|8M?vRl`%”p4*+oZ

==================
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
6. Get vmdir state
7. Get vmdir log level and mask
==================

Once you go through all these steps you are now able to log into VCSA with that temporary password that you are given and you are also able to reset it as well.

I hope you find this post helpful, and if you do please share it out to your friends.

Categories
PowerCLI Virtualization Vmware

Getting past Certificate issue in Power CLI

So I recently started working more with PowerCLI. After my time at VMWorld 2019 (which I will cover in another post) I realized how powerful that PowerCLI actually is (pun not intended). In starting to work with PowerCLI I came across the following message whil: trying to connect to my vCenter

Connect-vIServer : xx-x-xxxx xx:xx:xx Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you’d like to connect once or to add a permanent exception for this server.

I did some googling and I found this article,so shout out to Ivo Beerens for his article.

https://www.ivobeerens.nl/2018/07/18/quick-tip-powercli-invalid-server-certificate-error/

In his article he goes on to share this command

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

After putting that into PowerShell and pressing enter you will no longer get the Invalid Certificate message.

I hope you found this post helpful, I will be posting about some of the scripts that I have been posting on my Github. Please share with your friends if you found this helpful. 
Categories
Virtualization Vmware

All vCenters not showing up after adding a new one to an SSO Domain

As I have mentioned before, the company I work for had a disaster event that took place almost a year ago and because of that we have had  some of our infrastructure duct taped together.

Today I am proud to say that I had the opportunity to rip off another piece of that duct tape and actually move our Virtual Infrastructure forward.

You see, Pre-Disaster we had a single vCenter appliance which managed 3 sites. (Yes I know… yuck)

But, because of the disaster we had to move all of our services from the 1 site to the other 2. In the middle of the DR event I had to create 2 VCSA appliances to be able to manage the 2 sites, and due to a lack of sufficient network connectivity at the time, they were just islands. I even set them up a separate SSO Domains.

Fast forward to today, and I have now consolidated these 2 SSO Domains down to 1 and I must say it is pretty slick.

I did however run into a bit of an anomaly, which is the purpose of my post today. You see on the VCSA appliance that was added to the existing SSO domain, I discovered that I could see the first VCSA Appliance in the vSphere Web Client as well as it’s inventory which was awesome!

However on the vSphere Web Client of the Original VCSA Appliance, I can only see the 1 VCSA Appliance.

I consulted Dr. Google but found nothing at first, until I came across this post on the IBM Cloud for VMware Solutions site.

It turns out that you need to restart the vSphere Web Client in order for the new vCenter server to appear.

Just encase the link dies I will post the resolution here:

This is a known VMware 6.5 issue.

To resolve the problem, you must restart the vSphere Web Client:

Using the root account, connect over ssh to the vCenter VM (virtual machine) of the previously ordered instance.
Type shell to enter the bash shell.
Enter service-control –stop vsphere-client to stop the client.
Enter service-control –start vsphere-client to restart the client.
After the vSphere Web Client of the previously ordered instance is restarted, confirm that the vCenter Server system for the newly added secondary instance is visible in the vSphere Web Client.

NOTE: Rebooting the VCSA Appliance will also resolve your issue.

I hope you found this helpful, and if so please let me know and share with your friends.

Categories
Virtualization Vmware

Unable to log into a new VCSA Appliance added to an SSO Domain

So today I ran into an interesting issue. I was adding a new VCSA appliance to an preexisting SSO domain for a post that will come out in the coming weeks and I discovered a few things.

First of all, I learned that there are not many blogs covering this so I figured I would make a post just encase I get hit with a brick and forget.

So I ran through the install of the new VCSA appliance and selected all the settings as you would normally do. However when the installation completed it said everything was fine and I should be able to log in at the new URL.

I opened the URL and tried to log in…. and It failed. This being the first time I have tried this I was not sure what to expect, and here is what I mean:

The Platform Services Controller (or PSC) is responsible for authentication to vSphere. That being said I figured I might be able to log in with my Domain credential…. I was wrong.

So I then tried logging in with the Administrator Credentials for the SSO Domain…. that too did not work.

I then logged into the vSphere Web Client for the First VCSA to see if I could see what is going on over there. It turns out, from an SSO Perspective, everything was running great. I went to see if I could reset the Administrator password and discovered that I must not have had enough coffee this morning. You see, because vSphere is based on some form of Linux Kernel, I forgot to take into account that THE USER NAME IS CASE SENSITIVE!!!!!

So I went back to the login screen and logged in with the correct credentials and IT WORKED!!

Now to figure out why AD Authentication was not working…..

Well it turns out that that lack of coffee I mentioned earlier came back to bite me yet again <face palm>

Although the SSO component was working and showed my AD domain as a valid and default authentication source, it doesn’t mean squat if the server is not a member of the Active Directory Domain. A quick add to AD and a reboot later and we were in business.

Lesson Learned:

1. Don’t skip out on Coffee
2. Linux based credentials are Case Sensitive
3. Drink more Coffee
4. Make sure that host is added to AD before you try to authenticate.

I hope you found this helpful and if I ever get around to it I will add screen shots for a more TL:DR experience.

Categories
Tools Virtualization Vmware

Tools Discussion – VMWare Converter Standalone

Today I wanted to talk about VMware Converter Standalone which has been a constant in my bag of tricks for a long time. VMware Converter is a tool that allows you to convert a Physical Machine to a Virtual Machine which can run on a VMware ESXi host or VMware Workstation / Player. You can also use VMware Converter to resize Virtual machines or even convert them from Thick Provisioned virtual disks to thin.

Before VMware Converter was a free Standalone product, it was an add-on to vCenter (version 3-4.1 if my memory was correct) that was licensed by VMware. It enabled you (much like it does now) to convert a physical machine and turn it into a Virtual Machine. Pretty Sweet huh?!

Somewhere between vSphere 4 and 5 they decided to remove it from vCenter as an add on and make it a a separate product and best of all made it free!

During the installation process you are now asked to decide if you are doing a standalone installation or a Client Server install. I will probably do an install guide for this later so I can discuss further as both have their merits.

If you are interested in getting a copy of VMware Converter Standalone you can follow this link. It will also be available on the Tools page once this post goes live.

I hope you found this post helpful and please check back later for more articles.