Windows sessions and shell access

I’m not a windows guru, it’s been many many years since I moved over into Linux space, so if I’m completely wrong here, please correct me.

I ran into an interesting and frustrating problem last week trying to get Ansible Tower to talk to a VM running on a vCenter host.  Creating it, giving it an IP address and changing it’s hostname with vpshere shell commands worked perfectly.  My troubles began when prepping the system by configuring the remote management using ansible’s available script.  Works perfectly on Vagrant. No problems there.

As I mentioned in an earlier blog, I found the only way to put the script onto the VM was via vsphere shell and the Set-Content command in PowerShell to save it into a local file, but trying to run the file I kept getting a frustratingly elusive error.

New-SefSignedCertificate : CertEnroll:CX509Enrollment::_CeateRequest: Provider type Not Defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF) At C:\Windows\Temp\ConfigureRemotingForAnsible.ps1:88 char:10 + $cert = New-SelfSignedCertificate -DnsName $SubjectName – CertStoreLocation “Cert:\LocalMachine\My” + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NoSpecified: (:) [New-SelfSignedCertificate], Exception + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand

In powershell 4, the New-SelfSignedCertificate does not have a settable property for Provider, and all the googlefu I could muster was not turning anything up. But I did notice one particular pattern that put me on track to a fix.

I noticed that when I first started the VM fresh the script would inevitably fail.  I ran it again and it would fail, but I could run it from within the VM fine.  Then I noticed that I could run it if the user was logged in.  So a few hours were spent spinning up fresh VMs and testing conditions until I was satisfied that the only way that the script would run via ansible was when a user was logged in.  Speaking to the tech guys who look after the servers it seems that when vsphere creates a shell connection it seems to be a partial connection and doesn’t initiate a user session.  It appears that New-SelfSignedCertificate requires that a valid user session exists to validate the certificate against.

So the fix after that was fairly easy.

I found that you can create a session in PowerShell and Invoke a command against it.  So I ended up with this :

Param (
[string]$username,
[string]$password
)
$pass = convertto-securestring $password -asplaintext -force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$pass
$appsession = New-PSSession -ComputerName localhost -Credential $mycred
Invoke-Command -Session $appsession -FilePath c:\windows\temp\ConfigureRemotingForAnsible.ps1
Remove-PSSession $appsession

So my with_items now looks like this :

with_items:
– ” -command Set-Content ConfigureRemotingForAnsible.ps1 @’
{{ lookup(‘file’, ‘files/setup.ps1’) }}
‘@”
– ” -command Set-Content run-session.ps1 @’
{{ lookup(‘file’, ‘files/run.ps1’) }}
‘@”
– ” -command \”& .\\run-session.ps1 -username {{ vguest_admin_user }} -password {{ vguest_admin_password }} | Out-File .\\powershell_output.txt\””

Now Ansible can talk to the vCenter VMs and start doing things properly with them.

Author: Aidan

An experienced Developer who transitioned into implementing Continuous Integration, Delivery and Improvement through the use of Agile and Lean, or to put it simply, The DevOps Specialist.

1 thought on “Windows sessions and shell access”

  1. This was exactly what I was looking for. Thank you so much. Was having the same issue and very little comes up in Google that was much of a lead. In my case, the winrm config script wasn’t working even when RDP’d into the host. What I was missing was in the first few seconds of logging in a little notification bubble in the bottom left said I was logged in with a temporary account. After checking C:\Users I saw my account was not in there. Had to do the same thing of getting a PS-Session with an account that didn’t automatically switch to a temp account.

Leave a Reply

Your email address will not be published. Required fields are marked *