vRealize Orchestrator and Microsoft Powershell Double Hops

-

Recently started automating Microsoft DNS and the best way in seems to be through Powershell.


One of the common ways to deal with this is through a Powershell Host defined in vRO.
You set it up securely with HTTPS and Kerberos and specify the credentials of a user with DNS server rights enough to see and manipulate the content of the zones and records you want to automate.

So far so good, and you start developing the PowerShell commands you might need.

Resolve-DnsName (Get-ADDomain).DNSroot -type ns | ? {$_.type -eq "A"} | select name,Address,IP4Address,IPAddress | ConvertTo-Json -depth 1 -Compress
Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot
Get-DnsServerResourceRecord -ComputerName (Get-ADDomain).DNSroot

And they all work out nicely when you run them from your Powershell host, but once you run them from vRO in the Powershell session you run into the double-hop auth problem.

There are many ways to deal with this, but often you need to thinker both with the Powershell host and the endpoint (Server C).

When you look at New-PSsession one might be building the command something like on the Powershell host that is ServerB

$Server01 = New-PSSession -ComputerName ServerC

Finding that this leads to permission denied, cause the service account does not have permissions on ServerC.

$Server01 = New-PSSession -ComputerName ServerB

Finding that this also leads to permission denied, cause you don't bring new fresh credentials along.

$cred = New-Object System.Management.Automation.PSCredential ($username,$password) 
$Server01 = New-PSSession -ComputerName ServerB -Credential $cred

Finding this creates a new double-hop scenario

Thinking perhaps if one starts a New-CimSession on the Powershell host might solve the issue.
But bringing too much from the New-PSSession command along.

$cs = New-CimSession -ComputerName localhost -Credential $cred;

Learning this also creates a double-hop issue, finally to arrive at simple solutions often hardest to see.

$cs = New-CimSession -Credential $cred; Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot -CimSession $cs

Finally getting the result one wants, from vRO through the Powershell host.

More complete how to use in vRO

var sess;
sess = powershellHost.openSession();
var username = powershellHost.getHostConfig().username;
var password = powershellHost.getHostConfig().password;
var cmd = '';
cmd += "$username = '" + username + "';";
cmd += "$password = '" + password + "' | ConvertTo-SecureString -AsPlainText -Force;";
cmd += "$cred = New-Object System.Management.Automation.PSCredential($username,$password);";
cmd += "$cs = New-CimSession -Credential $cred;";
cmd += "Get-DnsServerZone -ComputerName (Get-ADDomain).DNSroot -CimSession $cs";
sess.addCommandFromString(cmd);
var invResult = sess.invokePipeline();
var zones = JSON.parse(invResult.getHostOutput());


Kommentarer

Legg inn en kommentar

Populære innlegg fra denne bloggen

vRA7 to vRA8 migration - Orchestrator

-
Steps to get up and running with vRO 8. Depending on your previous usage of vRO 7 this might the step that requires the most work when you are migrating to vRA8. Attribute Parameter Contains vCAC/vCACCAFE type! cafeHost|vCACCAFE:VCACHost| Switch to vRealize Automation 8 Types Input Parameter Contains vCAC/vCACCAFE type! subtenant|vCACCAFE:Subtenant Switch to vRealize Automation 8 Types Input Parameter Contains Payload Properties! payload|Properties Ensure the selected properties are supported by vRealize Automation 8 The first two will be quite common for everyone who has automated vRA7 using the vRA Plugins for vCAC and vCACCAFE the only working rewrite here is to move to the REST API and redo the work directly. The last one is also heavily used by everyone who relies on the Subscriptions both by pick up information in vRO and sending information back to vRA with " virtualmachineAddorUpdateProperties ". With just about 190 workflows to redo/rewrite or so i gues...
Les mer

vRealize Orchestrator - SSH Keys - Idea for how to easy manage multiple keys

-
Many are using SSH to run commands something similar to  var  passwordAuthentication = false; var password = ''; var session = new SSHSession(hostName, username, port); session.connectWithPasswordOrIdentity(passwordAuthentication, password, path); Where the path leads to the private key file for the connection. Storing several key files in the vRO filesystem could easily lead to forget it when moving to a new vRO or add a new vRO node. Also when moving forward with vRO 8 it's less of a good idea to add elements to the local filesystem as a manual step. My suggestion for a solution is to make use of the vRO resource element. Store your key file as a vRO resource element, using the following step of code can runtime make the key available for SSHSession. var tempDirectory = System.getTempDirectory(); filePath =  tempDirectory + "/" + keyfile.name; keyfile.writeContentToFile( filePath ); Send the private key file as a resource to the action or workflow and you will h...
Les mer

Possible pitfall - duplicate config_admin users - Using vRSLCM as deployment engine

-
Bilde
Some days ago as vRA 8.2 Patch 1 came along we decided to create a new test environment to see the upgrade process. It went rather smoothly as this is not the first environment to be deployed with vRSLCM. Few minutes of prepare vRSLCM and deployment went good, logging on to the new environment and then proceeded to install vRA 8.2 Patch 1.  https://docs.vmware.com/en/vRealize-Automation/8.2/rn/vRealize-Automation-82-releasenotes.html Now all went rather smoothly and we were please with the result. Sometime during the few last days also vIDM was patched to 3.3.3 https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/rn/VMware-Identity-Manager-333-Release-Notes.html And all of a sudden we lost access to our little test environment. As it was only there to test the upgrade patch 1, it was not a large issue, but strange never the less. In this test environment, we did not set up any other access roles, besides the default config_admin user. We could log in with it, but we had no ac...
Les mer