search

vmware-archive / webcommander

Powerful, flexible, intuitive and most importantly simple. That is what a real automation solution should be. No matter how complicated the task is, we'd like to turn it into a single click. Is that possible? Not without webcommander :)
MIT License
165 stars 47 forks source link

Windows Integrated Authentication #180

Open davide-96 opened 7 years ago

davide-96 commented 7 years ago

Is there an option to make windows authentication work on webcommander. When I run Connect-VIServer from the Windows Server with Powercli I can connect without having to type username and password, because the current user credentials are used to connect to my vcenter. However on webcommander it's not working. When I run from webcommander the PS script whoami I get back my username (Domain\user) , but if I type $env:username I get back the machine user (Servername$). Maybe I have to configure IIS or webcommander to passthrough the current user credentials.

Any help would be great.

Thanks in advance

Davide

9whirls commented 7 years ago

get-help about_server_authentication -full

TOPIC

Authenticating with a vSphere or vCloud server.

SHORT DESCRIPTION

When connecting to a vSphere or vCloud server, you need to authenticate by providing valid credentials. PowerCLI follows a certain logic for authenticating a server session. When you connect to a server with the Connect-VIServer or Connect-CIServer cmdlets, you can provide either a user name and password through the User and Password parameters, or a PSCredential object through the Credential parameter. If you provide both User/Password and Credential, the cmdlet accepts only the value of the Credential parameter and discards the User and Password parameters.

LONG DESCRIPTION When connecting to a vSphere or vCloud server, you need to authenticate by providing valid credentials. PowerCLI follows a certain logic for authenticating a server session. When you connect to a server with the Connect-VIServer or Connect-CIServer cmdlets, you can provide either a user name and password through the User and Password parameters, or a PSCredential object through the Credential parameter. If you provide both User/Password and Credential, the cmdlet accepts only the value of the Credential parameter and discards the User and Password parameters.

AUTHENTICATING USING A PSCREDENTIAL OBJECT

When you run the Connect-VIServer or Connect-CIServer to establish a server connection, you can use the Credential parameter to provide a PSCredential object that contains credentials for the specified server. If the provided credentials are not valid, the cmdlets show an error message.

AUTHENTICATING THROUGH THE USER AND PASSWORD PARAMETERS

Instead of providing a PSCredential object, you can directly specify a user name and password through the User and Password parameters of Connect-VIServer or Connect-CIServer.

If you specify only the User parameter without providing a value to Password, the cmdlet searches the credential store for credentials that correspond to the specified server and user. If such a credential is found, the cmdlet uses it to authenticate with the server. If no such a credential is found, you are prompted to provide credentials.

If you run Connect-VIServer or Connect-CIServer without specifying the User, Password, or Credential parameters, the cmdlet searches the credential store for available credentials for the specified server. If only one credential object is found, the cmdlet uses it to authenticate with the server. If none or more than one PSCredential objects are found, the cmdlet tries to perform a SSPI authentication. If the SSPI authentication fails, the cmdlet prompts you to provide credentials.

Note: If PowerCLI runs in a non-interactive mode, Connect-VIServer and Connect-CIServer will not prompt you for new credentials after the server authentication fails. To try to authenticate using new credentials, run the cmdlet again.

Send feedback to docfeedback@vmware.com | Copyright (C) VMware, Inc. All rights reserved. Protected by one or more U.S. Patents listed at http://www.vmware.com/go/patents.

9whirls commented 7 years ago

Based on PowerCLI help above, I don't think connect-viserver automatically uses the credential of current user. Instead, the credential must be defined and stored previously by some other commands.

9whirls commented 7 years ago

Here is more information about credential store of powercli https://blogs.vmware.com/PowerCLI/2011/11/have-you-seen-powerclis-credential-store-feature.html

davide-96 commented 7 years ago

login_without_cred When Windows Integrated AD is configured on the vCenter Server, than it's possible to connect without to have to type username and password. This is only possible if the user and client computer is logged in the same domain as the vCenter Server is. My problem is that since the client computer from which I access the webcommander website is a member from another domain as the webcommander Server, I cannot use Windows Integrated Authentication to login through webcommander and therefore also not able to login to the vCenter using WIA. From the Webcommander Server I'm always able to connect

9whirls commented 7 years ago

Would you please run Get-VICredentialStoreItem and see if there is any stored credential? Meanwhile, this is not related to your client machine where you open a browser to access webcommander. When you use windows authentication and impersonate on IIS, you are running the script as the user with whose credential you log into webcommander. You are supposed to enter his username and password when you navigate to webcommander .

MichaelMc64 commented 4 years ago

"When Windows Integrated AD is configured on the vCenter Server, than it's possible to connect without to have to type username and password." Is this documented somewhere? This is the ONLY way we log in to vCenter in our environment. When I attempt Connect-VIServer -server -Verbose, I get the following error: "Could not establish trust relationship for the SSL/TLS secure channel with authority ''.