powershellvmwarepowercli

Error invoking a powershell/powercli script via ssh in Windows 2022


I have a weird issue in the execution of a powershell script with powercli components in Windows Server 2022 invoked via ssh from a linux system.

It only works when the invoking user is logged into the Windows Server via VMWare Remote Console (I assume the same would happen if logged in via RDP, cannot try it due to firewall restrictions), otherwise it cannot stablish the connection with the VMWare ViCenter.

We have a web dashboard hosted in a Linux, where operators can launch actions on different servers through a menu. One of those actions calls an sh in the same server, which establishes a connections via ssh with a Windows Server 2022. The authentication is done via key exchange, not interactive password. The whole idea is that the operator launches the command and then just monitors how it finishes.

From now on I'll refer to the components of the architecture as LINUX, WINDOWS, VICENTER, USER, etc... all in caps for security concerns.

The architecture is LINUX(sh) → WINDOWS(ps1) → VICENTER, all connections and executions with USER.

The first script, the sh, is the following:

#!/bin/bash

# variables
var1=$1
var2=$2

# command
ssh -i /home/apps_consola/.ssh/USER_id_dsa USER@WINDOWS powershell.exe C:\\scripts\\Mover_VM_entre_sitios.ps1 $var1 $var2

Where $1 is the DESTINATION SITE and $2 is the VM to move. Received from the dashboard, and pass from the sh to the ps1.

The ps1 launches and it's supposed to connect with our VMWare VICENTER, and move a VM from the production site to the contingency one. And here is where the problem manifests:

The connection between WINDOWS and VICENTER is established inside the ps1 as follows:

$Credentials = Get-VICredentialStoreItem -Host VICENTER -File C:\Scripts\Cred.xml 
Connect-VIServer VICENTER -User $Credentials.User -Password $Credentials.Password 

The Cred.xml file was created with New-VICredentialStoreItem -User DOMAIN\USER -Password PASSWORD -Host VICENTER -File Cred.xml locally on WINDOWS with the USER, which is in the local Administrators Group.

The ps1 never even cancels, I have to manually kill the process for it to end and the error I get is:

Get-VICredentialStoreItem : The requested operation cannot be completed. The computer must be trusted for delegation
and the current user account must be configured to allow delegation.
At C:\SCRIPTS\Mover_VM_entre_sitios.ps1:15 char:16
+ ... edentials = Get-VICredentialStoreItem -Host VICENTER -File C:\Scripts ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VICredentialStoreItem], CryptographicException
+ FullyQualifiedErrorId : Core_GetVICredentialStoreItem_ProcessRecordget,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVICredentialStoreItem

For what I read online, it might be an issue with the double hop of credentials, but I tried everything I found and still cannot make it work.

I've already run this commands in an elevated Powershell console logged in as USER:

enable-wsmancredssp -Role client -DelegateComputer * -Verbose
enable-wsmancredssp -Role server
enable-psremoting

Checking with get-wsmancredssp I get:

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*;wsman/*.DOMAIN
This computer is configured to receive credentials from a remote client computer.

I also modified the following Local Policies (through gpedit.msc):

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Right Assignments\Enable computer and user accounts to be trusted for delegation: I added the USER

Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow delegating fresh credentials: I enabled it and added LINUX, WINDOWS, VICENTER, wsman/*.DOMAIN and wsman/*

Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow delegating fresh credentials with NTLM-only server authentication:  I enabled it and added LINUX, WINDOWS, VICENTER, wsman/*.DOMAIN and wsman/*

I also read that adding the REG_DWORD ProtectionPolicy set to 1 in the branch of the registry: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, but the issue persists.

I have to mention that we had this same setup working just fine, but due to a unrecoverable error we lost the WINDOWS component (the old VM was a win 2012r2). The situation described is happening in the broken VM replacement (WINDOWS). And I don't remember getting any of this errors in the previous one, as I recall there was no configuration needed.

How can I solve this?


Solution

  • I changed strategy and went with a secureString encryption. It isolates the encrypted pwd in a file from the user/machine that generated it. Thanks anyway for those who answered :)