vCheck script not running for VCSA?

[acme2000h]

While the script is working fine for Windows based Virtual Centers. It's not caching credentials for the service account used for scheduling the task.

I tried to run the script with -Verbose syntax to check what was going wrong. It prompts me for Creds. And also found that instead it was acquiring my Creds instead.

VERBOSE: Attempting to connect using SSPI VERBOSE: Reversely resolved 'vc02.local.corp' to 'vc02.local.corp' VERBOSE: SSPI Kerberos: Acquired credentials for user 'local.corp\acme2000h' VERBOSE: SSPI Kerberos: InitializeSecurityContext failed for target 'host/vc02.local.corp'. Error code:

[Sneddo]

Been a while since I setup our VCSA, but from memory you may get this if your AD identity source is not set to the default domain in SSO, and possibly needs to be AD (integrate) rather than LDAP.

But it definitely works :)

[alanrenouf]

I saw this issue recently with a customer and this KB helped... http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2050701

Does this help?

[acme2000h]

Thanks for reply guys. The SSO is set as recommended above. Alan, I have tried the above KB and currently it is set as "passwd: compat ato lsass". Still is not working.

Any other thing which needs to be checked.

[Sneddo]

Are you running 6.x or 5.x? I vaguely remember someone else having issues with 6...

[acme2000h]

It's latest version which is 6.23!

[Sneddo]

Yeah sorry, I meant VCSA version :)

[acme2000h]

Ohh! Yes...the VCSA version is 5.5 update 3

[acme2000h]

Hey guys! Did you have look into this issue?

[alanrenouf]

Just wondering if you have tried logging into an interactive session as this user and ticking the box in the UI that passes through the logged on user creds, i want to see if its PowerCLI or a VC config issue

[acme2000h]

Ticking the box in UI? I didn't get that part?

[acme2000h]

The account which I am using for scheduled job is not allowed to logon to the server interactively. Is there something else you would like me to try?

[acme2000h]

Hi Alan, I am still awaiting to hear something on this issue!

[acme2000h]

Hi Alan,

I have enable interactive login for the said user. I am able to login to server using RDP. While running the vCheck script it is always asking for credentials.

Please help me out with this one. I know you may be busy. There may be many more like me who would be facing this issue.

[acme2000h]

Hi Alan,

I also tried to tick the box while connecting to VC but it say windows creds cannot be used to login to this server. I guess its due to VCenter been VCSA.

[Sneddo]

Nah, VCSA works fine as I mentioned before. I'm planning to update to 5.5 U3b this week so will test with it (currently on update 2e) as it may be an issue with Update 3.

Otherwise, it may be your SSO config.

[acme2000h]

Thanks for the update Sneddo. Let me know the results. I'll be waiting.

[monahancj]

We've been running vCheck for years and never had a problem with a scheduled job running in Task Scheduler. Our vCheck jobs are configured the same as any other scheduled task. Do you have other scheduled tasks working on the server running the vCheck report? If not maybe try to get a simple one working first. It could be as simple as "Get-Date > C:\Temp\test.txt" in "schedtasktest.ps1

Currently we're running v6.0 of VCSA and ESXi.

On our Windows 2008 R2 server the job is configured with:

General tab

-When running the task, use the following user account: domain\serviceaccount (My note- this is in the local admins group.) -Run whether use is logged on or not -Run with the highest privileges

Triggers tab

-Daily, At 1:00am every day

Actions tab

-Action: Start a program -Details:

-Program/Script: C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -Add arguments: -PSConsoleFile "C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1" & "C:\Scripts\vcheck6\vcenter202\vCheck.ps1"

Conditions tab

Not important

Settings tab

-Allow task to be run on demand (My note- helpful for testing) -Run task as soon as possible after a scheduled start is missed -Stop the task if it runs longer than: 8 hours (My note- 8 hours is what we do. Pick a value that makes sense to you.) -If the running task does not end when requested, force it to stop -If the task is already running- Do not start a new instance

History

Not important

On Tue, Jan 12, 2016 at 6:57 AM, acme2000h notifications@github.com wrote:

Thanks for the update Sneddo. Let me know the results. I'll be waiting.

— Reply to this email directly or view it on GitHub https://github.com/alanrenouf/vCheck-vSphere/issues/426#issuecomment-170889735 .

[Sneddo]

Confirmed that vCheck is working fine against 5.5 Update 3b VCSA, so this seems to be a configuration issue.

[acme2000h]

Senddo, what will be the ideal configuration for this to work. Will you please elaborate?

[Sneddo]

It may be different in your environment, but for us we have our VCSA configured as follows:

• VCSA 5.5 Update 3b, joined to domain

In SSO config:

• Identity source defined for our domain, using machine account, and set to default provider.

In vCenter:

• Read-only role applied to AD Group containing the user that runs vCheck,