VMware Enhanced Authentication Plugin Not Working

For several versions of vSphere vCenter it is possible to logon with your windows credentials. Making it easier to only tick a box and logon instead of typing your username and password.
This nice and neat trick is done via the VMware Enhanced Authentication Plugin.
The only issue… it does need to work every time, else it is going to be an annoyance.
And , yes, it became an annoyance for me… especially when using Firefox.
So let me give you to possible solutions

Continue reading “VMware Enhanced Authentication Plugin Not Working”

Issue 2 – bypassing the fingerprint cache message when using PLINK

This article is part of a series of articles about issues I encountered during implementation of a vSphere stretched cluster based on vSphere 6.7 U1.
You can find the introduction article here

Issue 2

For some configuration settings I need SSH access to the host.  I use plink.exe to execute instructions through the SSH session. One issue, the first time when you connect with plink you get a message about storing the fingerprint ID in the cache. Normally you would accept this when using putty. But now this is going to be a challenge.
On some other blogs I found the solution. You echo the ‘Y’ which results in storing the ID in the cache.
In my code I now  call plink two times. The first time to accept the fingerprint, the second time to execute the command.
Why two times ? Well, I can’t assume that the fingerprint ID is already known.
The first plink instruction is a simple exit, we only want to check if we can logon.

$credential=get-credential
$plink="d:\plink.exe $hostname -l "+ $credential.username + " -pw " + $credential.getnetworkcredential().password
$command="ls"
invoke-expression ("echo Y | " + $plink +  " -ssh exit")
invoke-expression ($plink + " "+ $command)

Issue 1 – changing root password

This article is part of a series of articles about issues I encountered during implementation of a vSphere stretched cluster based on vSphere 6.7 U1.
You can find the introduction article here

Issue

All the hosts are delivered with 6.5 U2 pre-installed, and they have their own root password. For the implementation we want to have just one general root account password. So after adding all the hosts to the cluster I want to change the root password with powercli. But I tripped over a bug in get-esxcli (thanks to this thread ). The ‘&’ character is not correctly being interpreted when using get-esxli.
The script I wrote checks if the new password contains that character and will kindly ask to change it. After succesfull validation of the password it will apply it to all selected esxi hosts.
I

#-- select one or more hosts
[array]$esxiHosts=get-vmhost | select name | sort | out-gridview -Title "Select one or more ESXi Hosts"-OutputMode Multiple
if ($esxiHosts.count -eq 0) {
write-host "No host(s) selected, will exit." -foregroundcolor yellow
exit
}
#-- ask for root password and validate it agains known bug
Do {
$newCredential = Get-Credential -Username root -Message "Enter the password for the ESXi root account."
$isValid=$true
if ($newCredential.getNetworkCredential().Password -imatch "[\&]") {
$isValid=$false
write-host"Password contains character & which get-esxcli can't handle (bug)..... please consider a different password." -foregroundcolor yellow
}
}
until ($isValid)

#-- change root password for all selected esxi hosts
foreach ($esxiHost in $esxiHosts) {
$esxiHost=get-vmhost -Name -$esxiHost.name
$esxiCli=get-esxcli -v2 -vmhost $esxiHost
$arguments=$esxcli.system.account.set.createArgs()
$arguments.id=$newCredential.UserName
$arguments.password=$newCredential.GetNetworkCredential().password
$arguments.passwordconfirmation=$arguments.password
try {$esxcli.system.account.set.Invoke($arguments)}
catch{write-host "Setting password failed for " $esxiHost.name -ForegroundColor Yellow}
}

Use customer VPN via encrypted VM

in my job as a consultant I often work for a short period for customers. Most of the time they have a solution in place for working remotely. Or by using a laptop from them, or by a VPN portal.
To have the oppertunity to work remotely is a blessing. But when it is, using their VPN portal… well…. most of the time you have some issues. Why ?
Well, most of the time the VPN client will limit the use of your laptop. all your internet activity is send through the tunnel….via the customer…. hmmm I have nothing to hide, but it is not a desirable situation in my opinion.

Continue reading “Use customer VPN via encrypted VM”

new category – Tools

I was thinking, why don’t I start a blog series on the tools that I use for my work ?
I know, there are several articles out there about why you should certain tools, and I know that my setup isn’t the answer to all problems…. but hey why not share it, maybe even get some feedback / input etc….

So there is a new category born, called tools. Articles about tools and tips will be placed under this category.

Issues I encountered with a stretched cluster implementation on 6.7 U1

At the moment I’m busy with a stretched cluster implementation based on vSphere 6.7 U1. Most of the configuration is straight forward. But I encounter some snags.
So this post is about these snags, and how I solved them.

For configuring 16 hosts I use a lot of powerCLI. Why ? Well I have some issues with host profiles, and not the time (yet) to figure out what is going on.
Edit: I found out what the issue is, I’ll explain it in Issue 3.

I encountered the following issues

Change All Services icon through Rest API of vRA

A blog on my experience in using postman to change the All Services icon off vRA 7.2

Since vRA 7.1 you can change the “All Services” icon.
VMware has an article here on how to change this through the API.
I thought, maybe you could also do this via Postman. Which would also be a good exercise (for me) in understanding and using the Rest API via Postman.
The article below is one of many ways to solve this issue, feedback is welcome in the comments below.

Continue reading “Change All Services icon through Rest API of vRA”

Kanban with Outlook

For a while now I’m looking for ways to implement kanban in my workflows.
I do see the benefits, and I’m aware that it is not the golden solution for everything.

Requirements:

  • I need a visual representation of my WIP (work in progress)
  • not too much hassle like, logging on to different websites
  • not in public enviroments
  • direct accesible from my tooling (a.k.a. business laptop)
  • Intergration with task functions already available in my tooling (a.k.a. outlook tasks)

So I did a google on outlook and kanban. And after some searching I found this site. Which looks like a nice solution, using my outlook software etc…
So I tried to implement it.

And had one problem…. For security reasons the functionality to add a home page to an outlook folder has been disabled. And I understand it. But still wanted to see how this free solution would work.

So I found a site about enabling the home page function again. This site
The first option didn’t work for me, but adding the key  “EnableRoamingFolderHomepages”=dword:00000001 to [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security]  was the magic I needed.

For now this solution will do. Using familiar software to get accustomed with using kanban.

restore data from Synology backup using virtual DSM

It happened to me…. 

A crash off all my disks in a Synology DS 412+. Yeah….. For sometime my disks reported problems… but I thought.. just wait a few months more… then I can buy new disks…
But in the end…. the disks crashed all together.
I know what your first response is…. did you make backups ??
Answer: Yes. Yes I did.

How to restore

I used synology Hyper backup to make backups off my photos, documents and music folder to an external USB drive. And I new that these backups where very recent.
But to access this data  I had to restore it and needed a working Synology DSM. My options were:

  1. buy at least 2 new disks and re-install the DS 412+
  2. Find a friend with a DSM and use his/her DSM to restore my data and to move it into a cloud storage
  3. Looking into running DSM virtual

I choose option 3. Why ?
Well…. I was interested if it could be done.
Technicaly it could be possible. I had VMware workstation running on my laptop and new about xpenology. After some searching on the internet I found this  https://www.youtube.com/watch?v=a8YUq2QGhks
So it could be done….

Running DSM virtual

After some experiments I got it working, running DSM 6.x in a VM under VMware workstation 12.
I created a virtual DSM according to others blogs. Added a disk (VMDK) 200 GB in size. (large enough to restore a backup-set).
Then I started the DSM, did the usual configuration. Made a no-raid raid config with one disk. Created the volume in the newly created raid set. installed some DSM apps (at least the hyper-backup application).
And restored a backup from my external USB drive.

Moving data in to the cloud

Yes !!!!…. I had found a way to acces my data… but where should I store it ?
I used the Cloud sync app to sync the restored data to a cloud storage provider. If the provider supports webdav then it is possible to sync your local data to it. I needed to keep this running for several days due to the upload bandwith of my internet provider. but in the end I had my data accesible again.
xpenology and virtualization saved the day.

VCSA 6.5 with subCA Gotcha’s

One of my projects recently was migrating from a vSphere 5.5 enviroment, running on Widows OS, to vSphere 6.5 running on VCSA.
VMware did a good job with the tools for migrating to VCSA 6.5.

In vSphere 5.5 it was a challenge to replace the self-signed certificates, especially if they where expired…. From 6.0 on VMware introduced certificate managed for the vSphere enviroment. And where the PSC would be the CA for the vSphere enviroment.
With this, you can choose to let vCenter be a subCA in your PKI infrastructure.

You can find enough how-to’s for configuring the VCSA as a subCA. Like  here:

I just want to add some Gotcha’s, maybe you think ‘Yeah, of course…. duh….. why don’t you know that…’ well… then that Gotcha’s wasn’t meant for you 🙂

Gotcha’s

  1. file access to VCSA
  2. certificate names
  3. issuing the subCA certificate on a windows offline root CA

Gotcha 1  – File access to VCSA

At some point you need to download the CSR (certificate request) and copy it in your PKI enviroment. The most common method is to use SCP for file access… but the shell of the VCSA doesn’t support this by default.
This is what you need to do:

  1. allow SSH and bash access to VCSA
  2. Login as root into the VCSA with a ssh-client
  3. access the shell
    >shell
  4. change the shell for root to bash shell
    >chsh -s “/bin/bash” root
  5. Run winscp (or any other SCP client) and connect to the VCSA

To change the shell setting back to its original configuration, run
>chsh -s “/bin/appliancesh” root

Gotcha 2 – certificate names

This was a, a-yes-off-course moment…. but it did cost me some headache….

When running the steps to configure the VCSA as a subCA in your PKI, you get a few times the question

Enter proper value for ‘Name’ [Default value : CA] : ……

Make sure you use unique names here. This is the name of a certificate that is going to be generated for you. The certificate manager doesn’t check these settings, and in the end it will make a rollback…. a.k.a. waste of time.

My suggestion is for a naming convention: <hostname>-<file name being configured>
For instance, when your VCSA hostname is: VCSA-01 and your busy with the questions for the vpxd.cfg file, then the value you would enter would be ‘VCSA-01-vpxd’
But you are (off course) free to choose your own. Just make sure that these values are unique.

The certificate manager is asking values for the following files:

  • MACHINE_SSL_CERT.cfg
  • machines.cfg
  • vsphere-webclient.cfg
  • vpxd.cfg
  • vpxd-extensions.cfg
  • certool.cfg (used to creating the subCA CSR)

Gotcha 3 – issuing the subCA on a windows offline root CA

As a good practise, the CA is installed on a windows server that is not part of the AD domain and normally is powered off.

When requestion a certificate you normaly would use a browser and go to the url <hostname subca>/certsrv. But if this isn’t available on a offline root, you can use the cmd-line.

The cmd is:
> certreq -submit -attrib CertificateTemplate:<name of CA template> <filepath of CSR>

Steps to issue a the subCA certificate

  1. create the CSR with the certificate-manager in the VCSA
  2. copy the CSR to the offline root server (see gotcha 1 for scp file access)
  3. request the certificate with the cmd-line command
  4. open the certificate authority
  5. find the requested certificate under ‘pending requests’
  6. issue the certificate
  7. export the certificate to a file (export Binary data -> Binary Certificate )
  8. import the new certificate under local machine in the personal location
  9. export the imported certificate as a base64 certificate
  10. export the rootCA certificate as a base64 certificate
  11. create a chain file by adding first the subCA file content and then the rootCA file content into the chain file
  12. copy the chain file to the VCSA
  13. (shutdown  the offline root server)