Subscribe
Accepted Solution

Connect-NaController -Credential bug?

I'm using DataONTAP module version 1.2.0.67, and I'm seeing an issue with Connect-NaController when a PSCredential object is supplied.

I'm able to connect to a controller using the following syntax:

Connect-NaController "controllername" (I launched PS as the same domain user that has access to the controller via Active Directory)

I get an API Invoke failed when I supply those same credentials to a Get-Credential, or the root user/password credentials to Get-Credential. I've verified the root user/password credentials work by SSH'ing into the controller, which takes a domain authentication issue out of the question.

Any ideas?

Re: Connect-NaController -Credential bug?

Hi,

How exactly are you providing the credentials?

I've found that the API invoke errors are normally created when the expected paremeter is not a string type. Have a look at this discussion which provides some sample code for dealing with a similar error.

http://communities.netapp.com/message/40826#40826

Re: Connect-NaController -Credential bug?

I am providing the credentials via Get-Credential. For example:

$netapp = "filer.domain.com"

$nacred = Get-Credential

$nacontroller = Connect-NaController -Name $netapp -Credential $nacred

I get the API Invoke failed when trying to connect, not after connecting and attempting to run further commands.

Thanks for your help!

Damian

Re: Connect-NaController -Credential bug?

Hello, Damian.  I don't see anything inherently wrong with your code, and it worked for me on multiple systems (Win 2008 R2 and Win 7, ONTAP 7.3.3).  A few thoughts:

  • If you are using the fully-qualified domain name of the storage controller, make sure that is resolvable from your Windows host.
  • Try using an IP address instead.
  • Connect-NaController does make a couple of API calls to validate the connection (system-get-version and system-get-ontapi-version).  Ensure the user whose credentials you are using has permission to call those APIs.
  • Try both HTTPS and HTTP via the ForceSecure and ForceUnsecure switches, respectively.

Please let us know if you figure it out.

Re: Connect-NaController -Credential bug?

I am having the same issue.  Tried http, https, differnet user, hostname, ipaddress, etc.  no luck.

From 2003 server to filer 7.3.x

PS C:\Documents and Settings\me> Connect-NaController "x.x.x.x" -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<<  "x.x.x.x" -Credential (Get-Credential)
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Re: Connect-NaController -Credential bug?

I have re-tested Toolkit 1.2 with Windows 2003 (32-bit), and RPC / HTTP / HTTPS all worked here.

If RPC works and HTTP does not, this sounds more like a network or firewall issue.  You could check whether HTTP access to the controller is working at all by pointing a browser from the Windows host to http://<address>/na_admin/.

You can also enable debug output in the PowerShell Toolkit as follows:

  • In Windows Explorer, navigate to the PowerShell modules directory where the Toolkit is installed.  The system location is usually C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DataONTAP.
  • Open LogSettings.xml in a text editor.
  • Change the root logger level from OFF to DEBUG and save the file.
  • Restart PowerShell.

This would allow us to see the XML interaction with the controller.  A WireShark trace might also be useful.

Re: Connect-NaController -Credential bug?

I can get to http://<FilerName>/na_admin/

from PowerShell:


2010-11-03 17:37:53,062 INFO  DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: Connect-NaController $Filer -Credential $cred
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 17:37:53,140 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:53,796 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>

2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 17:37:54,202 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:54,218 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<<  $Filer -Credential $cred
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Re: Connect-NaController -Credential bug?

Clinton, thanks for your help with this.

I can connect to my filer over HTTP via http://filer.domain.com/na_admin, and HTTPS via https://filer.domain.com/na_admin (after accepting the default SSL warning).

Interestingly enough, as you can see below, when I run PowerShell in the context of my domain admin credentials, I'm unable to pass a PSCredential object. I can connect without it, since my domain admin account has access to the filer, since it was joined to AD for CIFS purposes. However, when I use my non-domain admin user account, I can pass in a PSCredential object. Attempting to connect without a -Credential parameter fails since my non-domain admin user account doesn't have the capability to invoke API system-get-ontapi-version.

Here's the debug output you asked for.

**************************************************************************************

Comment: creating the PSCredential object

PS C:\Support\Scripts\VMware> $nacred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


Comment: Attempting to connect using -Credential

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,799 INFO  DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,872 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:57:41,873 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:57:41,889 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,273 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:57:42,432 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,435 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<<  "filer.domain.com" -Credential $nacred
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Comment: Attempting to connect without -Credential (PoSH CLI launched using domain admin credentials, so my existing creds pass through)

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,526 INFO  DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,532 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 0
2010-11-03 15:58:24,534 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to RPC
2010-11-03 15:58:24,537 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via RPC
2010-11-03 15:58:24,545 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

2010-11-03 15:58:29,855 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><major-version>1</major-version><minor-version>12</minor-version></results>
2010-11-03 15:58:30,171 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAPI version is 1.12
2010-11-03 15:58:30,400 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-version /></netapp>

2010-11-03 15:58:31,356 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><version>NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010</version></results>
2010-11-03 15:58:31,588 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAP version is NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010

Comment: Trying with -Credential again and -ForceSecure

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,174 INFO  DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,178 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:59:06,180 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:59:06,184 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:06,190 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<<  "filer.domain.com" -Credential $nacred -ForceSecure
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Comment: -Credential with -ForceUnsecure

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,320 INFO  DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,327 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:59:12,328 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:59:12,332 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:12,338 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<<  "filer.domain.com" -Credential $nacred -ForceUnsecure
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Re: Connect-NaController -Credential bug?

Thanks to both of you for the debug output.  I don't see anything obvious, but we have some ideas.  Would one or both of you please try a couple more things?

1. Using the RPC connection, capture and post the output of Get-NaOption *http* *hosts*

2. See if there is any inner exception.  To do this, reproduce the HTTP problem using Connect-NaController, then immediately issue $error[0].Exception.InnerException

Re: Connect-NaController -Credential bug?

Connecting using RPC:

ClusterConstraint                       Name                                    Value
-----------------                       ----                                    -----
none                                    httpd.access                            legacy
none                                    httpd.admin.access                      legacy
none                                    httpd.admin.enable                      on
none                                    httpd.admin.hostsequiv.enable           off
none                                    httpd.admin.hostsequiv.enable           off
none                                    httpd.admin.max_connections             512
none                                    httpd.admin.ssl.enable                  on
none                                    httpd.admin.top-page.authentication     on
none                                    httpd.autoindex.enable                  off
none                                    httpd.bypass_traverse_checking          off
none                                    httpd.enable                            off
none                                    httpd.ipv6.enable                       off
only_one                                httpd.log.format                        common
none                                    httpd.method.trace.enable               off
none                                    httpd.rootdir                           XXX
only_one                                httpd.timeout                           300
only_one                                httpd.timewait.enable                   off
same_required                           trusted.hosts                           *

Attempting to connect while passing credentials:

PS C:\Support\Scripts\VMware\Production> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Support\Scripts\VMware\Production> $nacontroller = Connect-NaController -name "filer.domain.com" -Credential $cred
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<<  -name "filer.domain.com" -Credential $cred
    + CategoryInfo          : NotSpecified: (Smiley Happy [Connect-NaController], NaException
    + FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

PS C:\Support\Scripts\VMware\Production> $error[0].Exception.InnerException
The remote server returned an error: (407) Proxy Authentication Required.

Now we're getting somewhere...