vRealize Orchestrator and Microsoft Powershell Double Hops

-

Recently started automating Microsoft DNS and the best way in seems to be through Powershell.


One of the common ways to deal with this is through a Powershell Host defined in vRO.
You set it up securely with HTTPS and Kerberos and specify the credentials of a user with DNS server rights enough to see and manipulate the content of the zones and records you want to automate.

So far so good, and you start developing the PowerShell commands you might need.

Resolve-DnsName (Get-ADDomain).DNSroot -type ns | ? {$_.type -eq "A"} | select name,Address,IP4Address,IPAddress | ConvertTo-Json -depth 1 -Compress
Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot
Get-DnsServerResourceRecord -ComputerName (Get-ADDomain).DNSroot

And they all work out nicely when you run them from your Powershell host, but once you run them from vRO in the Powershell session you run into the double-hop auth problem.

There are many ways to deal with this, but often you need to thinker both with the Powershell host and the endpoint (Server C).

When you look at New-PSsession one might be building the command something like on the Powershell host that is ServerB

$Server01 = New-PSSession -ComputerName ServerC

Finding that this leads to permission denied, cause the service account does not have permissions on ServerC.

$Server01 = New-PSSession -ComputerName ServerB

Finding that this also leads to permission denied, cause you don't bring new fresh credentials along.

$cred = New-Object System.Management.Automation.PSCredential ($username,$password) 
$Server01 = New-PSSession -ComputerName ServerB -Credential $cred

Finding this creates a new double-hop scenario

Thinking perhaps if one starts a New-CimSession on the Powershell host might solve the issue.
But bringing too much from the New-PSSession command along.

$cs = New-CimSession -ComputerName localhost -Credential $cred;

Learning this also creates a double-hop issue, finally to arrive at simple solutions often hardest to see.

$cs = New-CimSession -Credential $cred; Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot -CimSession $cs

Finally getting the result one wants, from vRO through the Powershell host.

More complete how to use in vRO

var sess;
sess = powershellHost.openSession();
var username = powershellHost.getHostConfig().username;
var password = powershellHost.getHostConfig().password;
var cmd = '';
cmd += "$username = '" + username + "';";
cmd += "$password = '" + password + "' | ConvertTo-SecureString -AsPlainText -Force;";
cmd += "$cred = New-Object System.Management.Automation.PSCredential($username,$password);";
cmd += "$cs = New-CimSession -Credential $cred;";
cmd += "Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot -CimSession $cs";
sess.addCommandFromString(cmd);
var invResult = sess.invokePipeline();
var zones = JSON.parse(invResult.getHostOutput());


Kommentarer

Legg inn en kommentar

Populære innlegg fra denne bloggen

vRealize Automation 8 - Migration Assistant - Entitlements

-
While assessing the migration to vRA8 most definitely you will run into deprecated entitled actions or extensions. A lot of the internal VMware Actions or Extensions are no longer valid, here is a small list of common ones: Connect using SSH Connect using VMRC Connect using RDP Execute Reconfigure Cancel Reconfigure Scale In Scale Out Power Cycle ... A dirty quick fix is to loop all your entitlements before running the migration assistant and remove all of these deprecated if you do not depend on anyone using them in your vRA7 environment. var entitlements = Server.findAllForType("vCACCAFE:Entitlement"); for each (var entitlement in entitlements) { System.log(entitlement.name); var updated = false; var host = vCACCAFEEntitiesFinder.getHostForEntity(entitlement); var client = host.createCatalogClient().getCatalogEntitlementService(); var entitledResourceOperations = entitlement.getEntitledResourceOperations(); for each (operation in entitledResourceOperations) {
Les mer

vRA7 to vRA8 migration - Orchestrator

-
Steps to get up and running with vRO 8. Depending on your previous usage of vRO 7 this might the step that requires the most work when you are migrating to vRA8. Attribute Parameter Contains vCAC/vCACCAFE type! cafeHost|vCACCAFE:VCACHost| Switch to vRealize Automation 8 Types Input Parameter Contains vCAC/vCACCAFE type! subtenant|vCACCAFE:Subtenant Switch to vRealize Automation 8 Types Input Parameter Contains Payload Properties! payload|Properties Ensure the selected properties are supported by vRealize Automation 8 The first two will be quite common for everyone who has automated vRA7 using the vRA Plugins for vCAC and vCACCAFE the only working rewrite here is to move to the REST API and redo the work directly. The last one is also heavily used by everyone who relies on the Subscriptions both by pick up information in vRO and sending information back to vRA with " virtualmachineAddorUpdateProperties ". With just about 190 workflows to redo/rewrite or so i guess i can feel l
Les mer