解决了

Windows身份验证设置与平静

  • 2018年6月5日
  • 9回复
  • 2750意见
e
徽章 +1
你好,

我很好奇是否有人发行了Windows身份验证,并在平静的情况下使用WS-MAN设置进行登录检查和远程执行脚本。我已经关注了文档,并重做了几次设置以进行验证,但是登录检查仍然失败,含糊不清,只是说要检查WinRM故障排除帮助。

奇怪的是,在提供Windows映像后,我可以手动调用命令以进行远程执行,并使用以下命令针对新配置的IP登录:

PS C:\ USER \ Administrator> Invoke -command -computername 10.32.4.246 -scriptBlock {$ psversiontable.psversion} -credential管理员@domain.com

我的KARAN服务已安装和配置为域管理员,该文档中的所有PS命令均已按照KARAN服务器上的“管理员”和目标基本Windows图像运行。

CredsSP已在KARAN服务器上运行,以允许所有主机作为受信任的主机,并且该命令在拍摄图像之前也运行了目标窗口映像上的credssp(我也将其放在蓝图中的代码块中)。

根据指南,所有GPEDIT和本地安全策略都已更新,用户添加的是域管理员。

混乱的一个区域是围绕execution_mode添加的任务及其应该是什么模式。我已经按照文档中的要求创建了一个任务,但是对于在哪里创建它非常含糊,因此我不确定这是正确的(或者如果是问题的话),并且希望有人可以对他们设置的位置进行屏幕截图这在有效的Windows图像上吗?我已经将其设置为“ execution_mode =”,因为我打算在超越第一部分后添加要在服务器上执行的脚本乱搞。

不确定是否有人有任何想法或过程,他们运行效果很好,但是目前我很困惑,很好奇是否有人击中了这一点,并在他们的尽头掌握了它。

谢谢你的帮助!

-Keith
图标

最好的答案钱德鲁2018年6月8日,02:46

@echolaughmk<\/user-mention> Yes that's right from your screen shot it looks like you don't have any other tasks after the Task1. If you check my screenshot you see there are tasks after the wait task. Please create another task of type \"Execute-> Script\" and add your scripts there to test it out.","className":"post__content__best_answer"}">
查看原件
\r\n
\r\nI'm curious if anyone else has had issue getting Windows authentication with WS-man setup within CALM for the Login Check and remote execution of scripts. I have followed the docs and redone the setup a few times for validation, but the login check still fails with a vague error that just says to check out WINRM troubleshooting help.
\r\n
\r\nWhat's odd is that after I provision the Windows image, I can manually invoke commands for remote execution and login with the following command against the newly provisioned IP:
\r\n
\r\nPS C:\\Users\\Administrator> Invoke-Command -ComputerName 10.32.4.246 -ScriptBlock { $PSVersionTable.PSversion } -Credential administrator@domain.com
\r\n
\r\nMy Karan service is installed and configured with a domain administrator, all PS commands in the document have been run as \"administrator\" on the Karan server and the target base Windows image as required.
\r\n
\r\nCredSSP has been run on the Karan server to allow all hosts as Trusted Hosts and the command to enable CredSSP on the target Window image was run prior to taking the image as well (I also have it in the code block in the blueprint).
\r\n
\r\nAll GPEDITs and Local Security policies have been updated per the guide and the user added was the domain administrator.
\r\n
\r\nThe one area of confusion is around the Task to add for the EXECUTION_MODE and what mode it should be. I have created a task as required in the documentation, but its very vague as to where to create this so I am not entirely sure this is correct (or if it is the problem) and was hopeful someone might have a screenshot of where they set this on a windows image that is working? I have set it to \"EXECUTION_MODE=\" as I plan to mess around adding scripts to be executed on the server after getting past this first part.
\r\n
\r\nNot sure if anyone has any thoughts or a process they have run that works well, but I'm stumped at the moment and was curious if anyone else out there hit this and got past it on their end that might be able to share.
\r\n
\r\nThanks for any help!
\r\n
\r\n-Keith","quoteUsername":"echolaughmk","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
该主题已关闭以供评论

9回复

C
秩
UserLevel 3
徽章 +13
@echolaughmk您是否可以从KARAN服务器调用命令到目标Windows机器?有时,SYSPREP需要一些时间,但是在目标机器收到IP地址后,平静会尝试登录目标机器。我通过在服务的创建动作中使用Escript睡眠任务来解决这个问题。120秒为我工作。



执行模式告诉脚本需要在何处进行审查。本地意味着它将在Karan服务器上。仅当您使用CredsSP进行身份验证时,才需要本地。如果要在远程计算机上执行某些脚本,则无需设置执行模式。
@echolaughmk<\/user-mention> Are you able to invoke command from the Karan server to the target windows machine? Sometimes the sysprep takes a bit of a time but Calm will try to login to the target machine after the target machine receives an IP address. I work around this issue by using an escript sleep task in the create action of the service like below. 120 seconds has worked for me.
\r\n
\r\n

<\/a><\/p>
\r\n
\r\nThe execution mode tells where the script needs to be exeucted. Local means it will be on Karan server. Local is only required when you are using CredSSP for authentication. If you want to execute some scripts on the remote machine you don't need to set the execution mode.","quoteUsername":"Chandru","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

e
徽章 +1
嗨,钱德鲁,

谢谢(你的)信息。是的,我能够远程执行命令,一旦启动并在线构建。在第一次跑步时,我的睡眠没有太大的成功。我注意到您的屏幕截图具有具有与创建步骤关联的任务的MSSQL服务,但是当我创建新的通用蓝图(附加)时,我似乎没有它。我能够创建一个任务,但它本身就坐在那里。当我运行启动时,“动作”选项卡中的其他步骤似乎是执行的标签。这似乎是在编译时自动创建的,但是好奇是否看起来像是正确的位置,如果您只是旋转通用VM,则可以设置睡眠?

我会尝试更多地玩一些,但不确定我目前将睡眠放在正确的位置。谢谢你的帮助!

1个附件
\r\n
\r\nThanks for the info. Yes, I am able to execute commands remotely to the host that I build once it is up and online. I am not having much success with the sleep on the first run. I noticed your screenshot has the MSSQL service with tasks associated with the Create step, but I don't seem to have that when I create a new generic blueprint (attached). I am able to create a task, but it sits out there by itself. When I run the Launch, it seems the other steps in the \"Action\" tab are the ones that are executed. This seems like the one created automatically upon compilation, but was curious if this looks like the right location to set the sleep if you are just spinning up a generic VM?
\r\n
\r\nI'll try to play around some more, but not sure I am putting the sleep in the right place at the moment. thanks for any help!
\r\n

<\/a><\/p>","quoteUsername":"echolaughmk","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

C
秩
UserLevel 3
徽章 +13
@echolaughmk是的,您将任务放在正确的位置。抱歉,我忘了提及蓝图中的“ Check登录”选项的选中。您可以尝试使用该选中,还可以删除任何包装安装任务吗?
@echolaughmk<\/user-mention> Yes you have put the task in the right place. Sorry i forgot to mention to uncheck the \"Check login upon create\" option in the blueprint. Can you try with that unchecked and also remove any package install tasks if you have any?","quoteUsername":"Chandru","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
e
徽章 +1
嗨,钱德鲁,

感谢您及时的回复。如果我取消选中的话,那可行 - 但这不能进行登录检查,那对吗?通过取消选中,我只是告诉蓝图不正确执行任务吗?因此,我希望我不需要我创建的任务,如果我取消选中。

我确实听说这个时机可能会有一个问题,所以我希望您的睡眠任务能伪造它,但是我不确定为什么我不能做到这一点。

这是我所做的成功。我将上面的任务留在那里,没有打电话给脚本带来的脚本(这将是我的测试中的下一个运行命令)。当我取消选中登录检查时,这效果很好。感谢您的任何见解。

-Keith

1个附件
\r\n
\r\nThanks for the quick response. That works if I uncheck that - but that doesn't do the login check then right? By unchecking that I am just telling the blueprint not to perform the task correct? So I would expect I don't need the task that I created then if I am unchecking that.
\r\n
\r\nI did hear that there might be an issue with this timing, so I was hoping your sleep task would fake it out, but I am not sure yet why I can't get that to work.
\r\n
\r\nhere is what I did that was a success. I left the task above in there and I have no package script bring called (that will be next in my testing to run commands). This worked well when I unchecked the login check. thanks for any insight.
\r\n
\r\n-Keith
\r\n
\r\n

<\/a><\/p>","quoteUsername":"echolaughmk","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

C
秩
UserLevel 3
徽章 +13
@echolaughmk是的,这是从屏幕截图中拍摄的,看起来您在任务1之后没有任何其他任务。如果您检查我的屏幕截图,您会发现等待任务后有任务。请创建另一个类型“ Execute->脚本”的任务,然后在此处添加您的脚本以测试它。
@echolaughmk<\/user-mention> Yes that's right from your screen shot it looks like you don't have any other tasks after the Task1. If you check my screenshot you see there are tasks after the wait task. Please create another task of type \"Execute-> Script\" and add your scripts there to test it out.","quoteUsername":"Chandru","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
e
徽章 +1
谢谢 @chandru- 我认为现在很有意义。看来我们正在绕过登录名,并简单地将任务(脚本)放置在提供VM后要调用的任务(脚本)。

当我添加一个简单的任务将VM上的PowerShell版本输出到文件位置时,蓝图将其显示为成功,但实际上我在VM上没有看到该文件。脚本的第二个任务是否应该是带有凭据的esscript或shell脚本?我从阅读的内容中思考了一篇文章,但这是一些Credssp和本地模式的东西在文档中有些混乱的地方。我以描述为标记,但它不起作用:

$ psversiontable.psversion>“ c:\ users \ ascrisionalator \ psversion.txt”

我只是作为壳牌脚本尝试了它,并给了它凭证(Karan Service正在运行的域帐户),当我检查Call Spun的VM时,这似乎现在可以工作!您一直很有帮助...谢谢!

我明天将尝试一些更高级的东西,并再次阅读Escript/shell部分,我可能会有一些问题,这些问题会发布到此类别中的一些新线程中。我认为我通过取消选中来超越了初始登录障碍。谢谢。似乎现在要走的方法就是绕过该检查。


谢谢!

-Keith
1个附件
@Chandru<\/user-mention> - I think it is making sense now. It looks like we are bypassing the login and simply putting the tasks (scripts) to be called after the VM has been provisioned.
\r\n
\r\nWhen I add a simple task to just output the version of powershell on the VM to a file location, the blueprint shows it as a success, but I don't actually see the file on the VM. Should this second task that has the script be an EScript or a Shell script with credentials? I was thinking an Escript from what I have read, but this is where some of the CREDSSP and Local mode stuff got a little confusing in the docs. I tried this as an Escript and it didn't work:
\r\n
\r\n$PSVersionTable.PSversion > \"C:\\Users\\Administrator\\psversion.txt\"
\r\n
\r\nI just tried it as a shell script and gave it the credentials (domain account that the Karan service is running as) and that seems to work now when I check the VM that was spun up by CALM! You have been very helpful...thank you!
\r\n
\r\nI am going to try some more advanced stuff tomorrow and re-read the Escript\/Shell portions again and I might have a few questions that I will post to some new threads in this category. I think I am past the initial login hurdle by unchecking it..thank you. Seems like the way to go for now is to just bypass that check.
\r\n
\r\n

<\/a><\/p>
\r\nThanks!
\r\n
\r\n-Keith","quoteUsername":"echolaughmk","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

C
秩
UserLevel 3
徽章 +13
@echolaughmkEscript是在平静的容器中运行的Python脚本引擎。当您要执行REST API调用或任何需要与蓝图外部实体进行交互的内容时,它主要使用。例如,您有一个需要创建VM并自动将其添加到保护域中的情况。您可以通过编写Escript通过REST API调用与Nutanix群集进行交互来实现这一目标。它可以是VM上的安装NGT工具,也可以使用AHV级别快照或将创建的VM添加到保护域中。Escript还可以设置诸如execution_mode之类的变量,该变量告诉Call在KARAN服务器上而不是目标计算机上的即将到来的任务中运行PowerShell脚本。

简单的规则,需要在平静的容器内运行的任何东西都需要是用西本,并且在目标VM上需要运行的任何东西都应是脚本。

我们正在使用示例中的escript来暂停从试图登录到部署的VM的平静。我们需要做的原因是因为Sysprep花费了某个时间才能登录Windows VM。由于我们在创建时跳过了支票登录,因此平静不会尝试登录到VM并跳到创建动作并开始执行其下方的任务。第一个任务是睡120秒。由于它是一个escript,因此在Calm内部运行的Escript引擎将执行脚本(睡120秒),然后转到下一个任务。下一个任务要求平静(通过KARAN)登录已部署的VM并执行您在任务中给出的命令。
@echolaughmk<\/user-mention> escript is a python script engine running inside Calm containers. It is mainly used when you want to execute REST API calls or anything that needs to be interacting with external entities outside the blueprint. For example, you have a case where you need to create a vm and add it to a protection domain automatically. You can achieve this by interacting with Nutanix cluster via REST API calls by writing an escript. It can be anything like mount NGT tools on the vm or take an AHV level snapshot or add the created vm to a protection domain. Escript can also set variables like EXECUTION_MODE which tells Calm to run the powershell scripts in the upcoming tasks on the Karan server and not on the target computer.
\r\n
\r\nAs a simple rule, anything that needs to be run inside Calm container needs to be escript and anything that needs to be run on the destination vm should be script.
\r\n
\r\nWe are using escript in our example to pause Calm from trying to login to the deployed vm. The reason we need to do is because sysprep takes sometime before we can login to the windows vm. Since we skipped the check login upon create, calm will not try to login to the vm and jumps to the Create Action and start executing tasks under it. The first task is to sleep for 120 seconds. Since it is an escript the escript engine running inside Calm will execute the script (sleeping for 120 seconds) and then move to the next task. The next task requires Calm (via Karan) to log into the vm deployed and execute the commands you have given in the task.","quoteUsername":"Chandru","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
e
徽章 +1
谢谢 @chandru

现在,在您的解释方式中,这更有意义。当我回到测试时,我注意到的一件事是,我想在新配置的VM上执行的脚本无法用作shell脚本,其中包含我存储在蓝图中的凭据。It only works as an EScript which is the opposite of what I think I saw last night (or it was too late for me to read clearly on my end ).

从上面的讨论中,似乎具有凭据的Shell的选项应该能够在新配置的VM上从KARAN服务器执行远程命令。但是,从我现在看到的情况来看,这不起作用,或者我对我如何执行此操作的凭据有其他帮助。我已经等了5分钟才能完成Sysprep。这是否应该用作存储凭据的外壳脚本?

谢谢!

-Keith
@Chandru<\/user-mention>
\r\n
\r\nThis makes more sense now in the context of how you explain it. The one thing I am noticing as I go back to testing this is that the script I want to execute on the newly provisioned VM doesn't work as a shell script with the credentials I have stored in the blueprint. It only works as an EScript which is the opposite of what I think I saw last night (or it was too late for me to read clearly on my end \ud83d\ude00 ).
\r\n
\r\nFrom the discussion above, it seems like the option for Shell with the credentials should be able to execute a remote command from the Karan server on the newly provisioned VM. But from what I am now seeing, this isn't working or I have something else up with either the credentials I have stored of how I am executing this. I have waited as much as 5 minutes for the sysprep to be done. Should this be working as a Shell script with the stored credentials?
\r\n
\r\nthanks!
\r\n
\r\n-Keith","quoteUsername":"echolaughmk","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
j
@echolaughmk您能解决问题吗?通常,您需要任务类型可以在您提供的VM内执行它,并且它应该与您的存储凭据一起使用。
@echolaughmk<\/user-mention> Were you able to resolve your issue? In general you need the task type to be shell to execute it inside your provisioned VM, and it should work with your stored credentials.","quoteUsername":"Jasnoor.Gill","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
Baidu