Author Archives: admin

Vcenter 7.0 with ADFS IDP connecting with Powercli

I had some issues connecting to vCenter after Configuring ADFS as an Identity Provider with DUO Security for MFA.

Some of the errors i received were:

New-OAuthSecurityContext The OAuth authorization grant redirect response did not provide an authorization code.

New-OAuthSecurityContext The OAuth authorization grant redirect response did not provide an authorization code.

New-OAuthSecurityContext Failed to issue OAuth2 access token.

The received resource parameter is invalid. The authorization server can not find a registered resource with the specified identifier

New-VISamlSecurityContext Failed to retrieve SAML bearer token: An error occurred while sending the request.

Failed to issue OAuth2 access token. MSIS9614: The refresh token received in ‘refresh_token’ parameter is invalid. Error code: invalid_grant

MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid. Error code: invalid_client

New-OAuthSecurityContext: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

It turned out I was missing Configuration steps and using the wrong values in the login script.

*This was setup on vCenter Appliance version 7.0 Update 2c with ADFS 2019 IDP and  validated using a Windows 10 VM Logged in as the privileged user Running Powershell 5.1.17763.2183   and VMware PowerCLI 12.4.0 build 18627050

If not already done Install and Configure DUO MFA for ADFS  https://duo.com/docs/adfs 

Configure vcenter for ADFS IDP by following the Vmware Guide.  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-C5E998B2-1148-46DC-990E-A5DB71F93351.html

(in ADFS don’t forget to configure an Access control Policy and assign it on the webapi configuration of the vcenter application group)

Make sure ADFS IDP authentication with DUO is working Before following the next steps to setup Powercli access.

In ADFS Create new Native Application  name powercli-native  Note the Client ID (cccccccc-cccc-cccc-cccc-cccccccccccc)

Add the Redirect URI:  http://localhost:8844/auth

Click OK

Select the Application under WebAPI, click Edit

Select Client Permissions Tab:

Add Powercli-Native Application Created above

Make sure allatclaims and OpenID are selected.

Select Application Under Server Applications, Note Client ID (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

This was validated using a windows 10 VM Logged in as the privileged user  Running Powershell 5.1.17763.2183   and VMware PowerCLI 12.4.0 build 18627050

The following script was found on this post (I have added comments inline)

https://www.reddit.com/r/vmware/comments/nzt06t/comment/h1zpykq/?utm_source=share&utm_medium=web2x&context=3


#Vcenter Server FQDN
$VCenterServer = 'VCENTER.DOMAIN.COM'
#ADFS Token Endpoint URL  (if you have changed from default then adjust accordingly) 
$TokenEndpointURL = 'https://ADFS.DOMAIN.COM/adfs/oauth2/token/'
#ADFS Auth Endpoint URL  (if you have changed from default then adjust accordingly) 
$AuthEndpointURL = 'https://ADFS.DOMAIN.COM/adfs/oauth2/authorize/'
#Powercli Redirect URL you do not need to change
$RedirectURL = 'http://localhost:8844/auth'
#Enter the Client ID we gather earlier from the  powercli-native  Native Application
$ClientID = 'cccccccc-cccc-cccc-cccc-cccccccccccc'
#Enter the Client ID from the Server Application We Gathered Earlier
$OAuthResource = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

if ( !$OAuth ) { $OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -AuthorizationEndpointUrl $AuthEndpointURL -RedirectUrl $RedirectURL -ClientId $ClientID -OtherArguments @{ "resource" = "$OAuthResource" } }

#If you are using a self-signed certificate use the -IgnoreSslValidationErrors Switch 
if ( !$Saml ) { $Saml = New-VISamlSecurityContext -VCenterServer $VCenterServer -OAuthSecurityContext $OAuth  -IgnoreSslValidationErrors }

#if this is a standalone remove the -AllLinked Switch
if ( !$Conn ) { $Conn = Connect-VIServer -Server $VCenterServer -SamlSecurityContext $Saml -AllLinked }

If the commands complete successfully you should get a Web Browser popup for ADFS/DUO Auth, and Then you should be logged into vcenter.  All other commands should work as normal.

Hope this helps someone.

VMware 5.5: How to remove NetApp® NFS Plug-in 1.0.21 for VMware® VAAI

After a bit of searching I did not find any documentation on how to remove the NetApp® NFS Plug-in 1.0.21 for VMware® VAAI from an ESXi Host.  If you have a need to uninstall this the process is pretty simple.

Place your host into Maintenance Mode.  SSH to your ESXi Host

[codesyntax lang="powershell"]
esxcli software vib list
[/codesyntax]

You should get a list of all plugins on your system.

Name                           Version                               Vendor  Acceptance Level  Install Date
—————————–  ————————————  ——  —————-  ————
net-enic                       2.1.2.38-1OEM.550.0.0.1198611         Cisco   VMwareCertified   2014-04-23
NetAppNasPlugin                1.0-21                                NetApp  VMwareAccepted    2014-05-09
net-qlcnic                     5.5.164-1OEM.550.0.0.1198611          QLogic  VMwareCertified   2014-04-23

to remove the plugin use the following command:

[codesyntax lang=”powershell”]

esxcli software vib remove -n NetAppNasPlugin --dry-run

[/codesyntax]

–dry-run will show you what the command will do, remove it to actually run the command:

~ # esxcli software vib remove -n NetAppNasPlugin
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: NetApp_bootbank_NetAppNasPlugin_1.0-21
VIBs Skipped:

You will need to reboot your server to complete the removal.

If you are looking to install the plugin you can follow the Netapp Guide Located here:

https://library.netapp.com/ecmdocs/ECMP1237939/html/html/GUID-735E5961-E3FB-4105-A8F8-37F6444B68BC.html

Fatal Error c0000034 After Service Pack Install

Recently a Friend of mine got an error on his computer when booting.

Fatal error C0000034 applying update operation 282 of 117809 (_00000…)

After some digging i found out that there was an issue with the Windows 7 SP1 Upgrade that had recently ran on his computer. After some digging i found this Microsoft Article that seemed to solve the problem.

http://support.microsoft.com/kb/975484?wa=wsignin1.0

Short Notes are:
Download This VBS and Delete the “.txt” extension and place it on a usb drive.

1. Reboot the Computer while tapping F8 to enter advanced boot options.
2. Select Repair your Computer
3. Under System Recovery Options, make a note of the Windows 7 drive letter listed on the line below Choose a recovery tool. EX: Operating system: Windows 7 on (C:)
4. Select the command prompt option
5. Navigate to the USB drive Letter (Trial and error worked for me)
6. Run this command

Cscript Script.vbs:\Windows\winsxs\pending.xml.

7. You should get an output similar to this

2 POQ nodes removed. Script Completed

8. Reboot Computer and Updates should complete Normally.

Hope this helps.

I found some additional info on this forum post.

SCOM 2007 R2: Our Problems

So before I can show you what I am doing to fix our scom environment, I need to tell you a little bit about what we did wrong, and what issues we are seeing because of it.

SCOM uses Management Packs for everything it does.

Management Packs (MP) contain predefined monitoring settings that enable agents to monitor a specific service or application in Operations Manager 2007. These predefined settings include discovery information that allows management servers to automatically detect and begin monitoring objects, a knowledge base that contains error and troubleshooting information, alerts, and reports.

In short MP’s are a collections of rules and alerts for a specific object. Many MP’s are provided from Microsoft for monitoring things like Windows 2008 Server OS, or SQl. Some third party vendors provide management packs as well. For example we have a lot of Dell Servers in our environment, so we installed the dell server MP. This MP monitors physical system health and alerts us when a failure has occurred.

When you First install SCOM it will install around 40 different default MPs. These MP’s are a core part of SCOM. You then have the option to install additional MPs. These will be application specific, Windows, SQL, Exchange, ect. It is a best practice that you only install MPs that you need, and install them in a controlled manner, so they can be configured, and overridden in a controlled manner.

In my environment we have 140 MP’s installed, with very minimal overrides configured. We have anything with a critical status to generate an email to the System Admins. This creates a large amount of garbage emails to be generated.

The Second big issue we have is Overrides. It is best practice to never place an override in the default management pack (by default it will automatically select to go there.) Instead each management pack should have its own custom build override pack. For example if the MP is “Active Directory Server 2008 (Monitoring)” you would create a custom override MP “Active Directory Server 2008 (Monitoring) – Override.” Like most items in your environment, naming conventions are key here. If you dont come up with something that you follow for naming custom MP’s you will end up with a mess.

In my environment the overrides we do have defined are all over the place, some are in “Default Management Pack” some “Test” or “Test MP” and very little follow any naming scheme.

Unfortunately before i can fix the email flooding issue, I needed to fix the Poor Location and Naming Scheme for our custom MP’s.

SCOM 2007 R2: The Adventure

So I have been tasked at work to clean up our scom environment. I have been spending a lot of time trying to organize and understand how scom works. Wikipedia Defines scom as:

System Center Operations Manager is a cross-platform data center management system for operating systems and hypervisors. It uses a single interface that shows state, health and performance information of computer systems. It also provides alerts generated according to some availability, performance, configuration or security situation being identified. It works with Microsoft Windows Server and Unix-based hosts.

In short its a health management tool. It sends out email alerts based on what you define, to notify you of issues, or pending issues within your environment. It will allow you to migrate from a reactionary department to a proactive department.

This tool when configured right and make your job much easier, but when not configured right… well you end up with what i have.

Currently i receive between 200 and 500 email’s a day on “critical” issues within my environment.
“Critical” Issues Like:
Alert: Computer Browser Service Stopped Resolution state: New
Alert: Miscellaneous SAM Errors Resolution state: New
Alert: DC is both a Global Catalog and the Infrastructure Update master Resolution

Now don’t get me wrong, i do get emails about actual critical issues within my environment, but when i get emails on issues like the above, it makes it near impossible for me to react within a timely manner.

So. Im going to start posting tips and tricks i have found for managing scom on here. Hopefully some of this stuff will help someone down the line, or even myself when I need to come back and reference something.

Hope you enjoy the Adventure.

Fix Broken Auto Updates In WordPress.

I have been having an issue with wordpress just hanging on downloading, when trying to install an update through the internal auto update.   After doing some research, I was able to find out that this feature requires php5 in order to function.

My web Host is 1and1.com, and inorder for your site to use php5 instead of php4 you must add a custom line in the .htaccess file in the root of your website.  Simply add the below code to your .htaccess file, and you are good to go. Read more »

Upgrading WordPress to 2.9.2

Today i upgraded my wordpress from 2.9.1 to 2.9.2  The upgrade process was pretty smooth.  At first i had some trouble using the automatic update, so i ended up manually updating.

How to Manual Update:

The manual update process is quite simple. The wordpress website has full details on their website as to how to do this update. (http://codex.wordpress.org/Upgrading_WordPress)  I will just go over the basics really fast.

Read more »

WordPress “Briefly Unavailable for Scheduled Maintenance” Message Removal

Today while trying to update my blog to the new version, i received the following error: “Briefly unavailable for scheduled maintenance. Check back in a minute.”   any time I attempted to view the website.  I was using the built in wordpress update functionality.  After doing some research it appears that when an update is being performed wordpress places a file in the Root of the blog called “.maintenance”

This is actually a really simple fix.  Just FTP into your web space and delete this file, and your blog should be back to normal, Provided the incomplete upgrade did not damage your blog in any way.

Why Does this happen?

During a wordpress update, WordPress creates this “dummy” file in the root, to block access to the website while the update is in progress.  This is done so that if someone attempts to view your website while the upgrade is in progress, they may get ill desired results.  If you are having problems using the auto update feature i suggest updating it manually, and researching why its not working.  There can be many causes.

Hope this Helps!

Welcome to ProjectHamel.com

This is my first posting, on my new and improved blog.  Im not going to lie, i dont update it as often as i would like.  Im going to do my best to put up as many posts as possible on here.  Let me tell you a little about myself.  I am a Systems Administrator for a major telecommunications company.    I also work part time at bestbuys Geeksquad.  Expect my posts here to be technical in nature, or based around a project i am currently working on.  If any of my posts help you please feel free to leave a comment and let me know that doing this helped someone out.