Error Messages While Attempting to Connect to PowerShell Proxy from vRO.
Error:
If the adding the PowerShell host fails with error similar to the following "default realm", check for a misconfiguration of the Kerberos Domain Realm (krb5.conf) configuration file, or a miss-spelling of the login domain suffix.
This error occurs with both Add a PowerShell host and Update a PowerShell host.
Cannot locate default realm (Dynamic Script Module name : addPowerShellHost ... state: ‘failed’, business state: ‘Error’, exception: ‘InternalError: java.net.ConnectException: Connection refused (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)’
Error:
In changing a service account running the Update a PowerShell host or Add a PowerShell host, you might get an easy error such as a root CA not being recognized. Sometimes you get an error that is less specific. Since it doesn't mention the CA root, it's likely something like below:
1. untrusted certificate chain
2. connection is reset from a local firewall rule on the PS host/proxy.
3. certificate expired
4. old certificate replaced in IIS, but the old certificate is still be referenced by PowerShell.
A web browser will likely give a ERR_CONNECTION_RESET (Edge) or PR_CONNECT_RESET_ERROR (Firefox).
'Error', exception: 'InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)'
"Bad" Certificate/APP ID Troubleshooting Tips:
In IIS Manager,
1. Click on the server's name on the left window pane.
2. In the center pane, scroll down, highlight and double-click Server Certificates to view the current certificate.
3. Still in the center pane, highlight and double-click and open the certificate listed.
4. Verify the certificate information:
a. Within the General tab, the server name matches in the Issued to field. It should list a FQDN,
b. Still within the General tab, that today's date is within the Valid from and to dates.
5. Assuming the certificate is valid, within the Details tab, copy and paste out the Thumbnail value for the certificate.
e.g. 00 01 23 45 a0 b1 c2 d3 e4 f5 a6 b7 c8 c9 d8 e7 f6 a5 b4 c3
In a PowerShell window, to view the configured SSL (TLS) certs and their thumbprints on the server. For an older server, there are probably old expired certs, plus the current certificate that is valid.
PS C:\> Get-ChildItem cert:\LocalMachine\My
<read output>
Thumbprint ... Subject ...
00012345a0b1c2d3e4f5a6b7c8c9d8e7f6a5b4c3 ... CN=myserver.mindwatering.net, OU=IT, O=Mindwatering, L=MWWF, ...
Note: The thumbnail in the about above, should match the output from the Details tab of certificate just w/o spaces. If they don't match, we need to update the certificates being used to the current thumbprint.
Now take the thumbprint to the netsh tool and see if the correct/valid certificate is being used:
To view the SSL(TLS) list using netsh:
Start --> Administrative Tools --> Command Prompt
(cmd.exe)
Show the current SSL config:
(cmd.exe)
c:\> netsh http show sslcert
<read output>
Note the Certificate Hash and the Application ID lines.
- app id. e.g. {afedc9ab-9a91-9a91-9f95-faf1c12345f1}
- certificate hash: 00012345a0b1c2d3e4f5a6b7c8c9d8e7f6a5b4c3
If the app ID is wrong, or more likely, the certificate thumbnail is incorrect, we need to delete the offending entry(s) and re-add it(them):
c:\> netsh http delete sslcert ipport=0.0.0.0:5986
Recreate the entry for that app id with the new/correct hash:
c:\> netsh http add sslcert ipport=0.0.0.0:5986 certhash=00012345a0b1c2d3e4f5a6b7c8c9d8e7f6a5b4c3 appid="{afedc9ab-9a91-9a91-9f95-faf1c12345f1}"
Enabling PowerShell for Remote Access:
e.g.
- for Certificate Hash: 00012345a0b1c2d3e4f5a6b7c8c9d8e7f6a5b4c3
- for Hostname: myserver.mindwatering.net
(cmd.exe)
> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="myserver.mindwatering.net";CertificateThumbprint="00012345a0b1c2d3e4f5a6b7c8c9d8e7f6a5b4c3"}
To open the firewall for remote access:
> netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
To test/confirm access, from a remote Win PC, before adding in vRO:
(cmd.exe)
> winrm set winrm/config/client @{TrustedHosts="*"}
(PS command window)
PS> Invoke-Command -ComputerName myserver.mindwatering.net -Port 5986 -Credential (Get-Credential) `
-UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) `
-ScriptBlock { Write-Host "Hello from $($env:ComputerName)" }
Powershell Syntax Error with Condition Equal True:
Note: If you have an error 400, it may not be a URL issue, but a syntax issue; therefore, check the c:\windows\temp log folder if you did a Host-Write for details.
To test for a variable = True, use one of the following:
if ($varNm -eq $True) -and ($varOpen -eq $False) {
... do something ...
}
if ($varNm -eq 'True') -and ($varOpen -eq 'False') {
... do something ...
}
previous page
|