In this blog post, I am going to show you how to setup vCheck (https://github.com/alanrenouf/vCheck-vSphere) to run on a schedule, using AD user credentials, without requiring passthru authentication. To do this, I will leverage the VMware Credential Store and New-VICredentialStoreItem PowerCLI cmdlet.
You may need to do this, if you cannot use passthru authentication from your script server to your vCenter server.
In this how-to, I assume you have already run vCheck’s initial configuration. I also assume you have already created an AD user account suitable for running the vCheck script, and assigned permissions to vCenter (preferably read-only access).
Here’s a summary of the configuration:
- AD user account with Log On as Batch Job locally on script server
- Create a new role for vCenter, “vCheck Admin” assign the following rights:
- Datastore -> Browse Datastore (necessary for finding orphan VMs)
- Host profile -> View (necessary for checking host profile compliance)
- Run PowerCLI as the AD user
- New-VICredentialStoreItem -Host vcenter -User “domain\user” -Password “password”
- Scheduled task to run Powershell with vCheck.ps1 as argument, start in vCheck folder
First we need to get an item in the VICredentialStore, under the user account we will be using to run the script.
Enter the AD credentials for the user, then when PowerCLI launches, use the New-VICredentialStoreItem cmdlet to add an item to the cred store.
On Windows, by default this entry is stored in %APPDATA%\Roaming\VMware\vicredentials.xml
Please note – take security into consideration here. The vicredentials.xml password format is obfuscated, not encrypted. Ensure you have restricted access to this file and server to only authorized users. Also make sure the AD user specified here has the most restrictive permissions possible – such as a domain user with read-only access to vCenter.
For more details on the hash function used to obfuscate the password, see the credstore_admin.pl file available in the VMware Perl SDK for vSphere. In short, VMware creates a unique hash based on username and servername for this entry, hashes the password using this unique hash, and then base64 encodes it. This means that anyone with the full text of your vicredentials.xml file could obtain your plain-text passwords. Protect this file if you are going to use this method.
Configuring Windows Scheduled Task
Now create a scheduled task with the following Action:
- Program – C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Add Arguments – C:\Scripts\vCheck-vSphere-master\vCheck.ps1
- Start in – C:\Scripts\vCheck-vSphere-master\
Assigning AD User Rights to Windows
Finally make sure we assign this AD user Log On as a Batch Service…
Add the user under Properties. Very straightforward.
When we run the scheduled task, vCheck’s connection script will run as the AD user we specified. When it attempts to connect to vCenter using Connect-VIServer, it will automatically pull credentials from the entry in the VICredentialStore for this AD user. It does this based on matching the server name in the credential store items with the server name specified in the Connect-VIServer cmdlet.
Hope this helps! Just keep in mind the security caveats around using the VICredentialStore.