Solved: Re: Incorrect credentials error even after making connection

Vikramjeet_Singh · ‎2019-03-18

WFA Powershell code:

param (
[parameter(Mandatory=$true, HelpMessage="Cluster name or IP address")]
[string]$Cluster
)

# connect to controller
Connect-WfaCluster -Node $Cluster

if($Cluster)
{
Get-WFALogger -Info -message $("Setting Security Audit on: " + $Cluster)
Set-NcAudit -CliSet $true -OntapiSet $true -Controller $Cluster
}

Above is a simple code to manipulate the audit setting.

The code is pretty straight forward but I am not sure why I keep on getting the below error even after making connection.

please advice!!!

15:38:48.959 INFO [TSS Cluster Settings] ### Command 'TSS Cluster Settings' in 'POWER_SHELL' ###

15:39:21.068 INFO [TSS Cluster Settings] Get-WfaCredentials -Host ABCD

15:39:21.115 INFO [TSS Cluster Settings] Credentials successfully provided for 'ABCD'

15:39:21.162 INFO [TSS Cluster Settings] Connect-Controller -Type CLUSTER -Name ABCD -Credential System.Management.Automation.PSCredential -Vserver -SSLversion TLSv1

15:39:21.209 INFO [TSS Cluster Settings] Credentials successfully provided for 'ABCD'

15:39:21.271 INFO [TSS Cluster Settings] Connect-NcController (with credentials) -Name ABCD -Timeout 60000 -ErrorAction Stop -Port 443 -SSLVersion TLSv1

15:39:22.381 INFO [TSS Cluster Settings] Connected to cluster node

15:39:22.443 INFO [TSS Cluster Settings] Setting Security Audit on: ABCD

15:39:28.303 ERROR [TSS Cluster Settings] Command failed for Workflow ' TSS Cluster Settings cDOT' with error : Incorrect credentials for ABCD

15:39:28.318 INFO [TSS Cluster Settings] ***** Workflow Execution Failed *****

mbeattie · ‎2019-03-18

Hi,

Have you tried it without passing the -Controller variable. The "global:CurrentNcController" variable is already set by the "Connect-WFACluster" function, you shouldn't need to pass the -controller parameter. Have you tried commenting out the line that contains -Controller and replacing the command to omit the -Controller parameter. EG:

#'------------------------------------------------------------------------------
#'Set-NcAudit -CliSet $true -OntapiSet $true -Controller $Cluster
#'------------------------------------------------------------------------------
Set-NcAudit -CliSet $true -OntapiSet $true 
#'------------------------------------------------------------------------------

Also have you tried it externally to WFA? If you do a "get-help set-ncaudit -full" you'll notice many of those parameter are specific to ontap versions. I noticed there were error warnings, you might want to check the paramaters apply to the version of ONTAP that your cluster is running.

Import-Module DataONTAP
$credentials = Get-Credential -Credential admin
connect-nccontroller -name cluster1.testlab.local -https -Credential $credentials | Out-Null
Set-NcAudit -CliSet $true -OntapiSet $true
WARNING: CliSet, HttpSet, OntapiSet, SnmpSet are not supported in Data ONTAP 9.0 and later. Ignoring value(s).

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

mbeattie · ‎2019-03-18

Hi,

Have you tried it without passing the -Controller variable. The "global:CurrentNcController" variable is already set by the "Connect-WFACluster" function, you shouldn't need to pass the -controller parameter. Have you tried commenting out the line that contains -Controller and replacing the command to omit the -Controller parameter. EG:

#'------------------------------------------------------------------------------
#'Set-NcAudit -CliSet $true -OntapiSet $true -Controller $Cluster
#'------------------------------------------------------------------------------
Set-NcAudit -CliSet $true -OntapiSet $true 
#'------------------------------------------------------------------------------

Also have you tried it externally to WFA? If you do a "get-help set-ncaudit -full" you'll notice many of those parameter are specific to ontap versions. I noticed there were error warnings, you might want to check the paramaters apply to the version of ONTAP that your cluster is running.

Import-Module DataONTAP
$credentials = Get-Credential -Credential admin
connect-nccontroller -name cluster1.testlab.local -https -Credential $credentials | Out-Null
Set-NcAudit -CliSet $true -OntapiSet $true
WARNING: CliSet, HttpSet, OntapiSet, SnmpSet are not supported in Data ONTAP 9.0 and later. Ignoring value(s).

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie · ‎2019-03-18

Hi Vikramjeet,

Here is the command code that contains all input parameters for the "Set-NcAudit" cmdlet and tests the ONTAP version

Param(
   [Parameter(Mandatory=$True, HelpMessage="The Cluster name or IP address")]
   [String]$Cluster,
   [Parameter(Mandatory=$True, HelpMessage="The DataONTAP version number running on the cluster")]
   [String]$Version,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of CLI set operations. If false, disable auditing of CLI set operations. If not specified, the setting will remain unchanged")]
   [Bool]$CliSet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of CLI get operations. If false, disable auditing of CLI get operations. If not specified, the setting will remain unchanged")]
   [Bool]$CliGet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of HTTP set operations. If false, disable auditing of HTTP set operations. If not specified, the setting will remain unchanged")]
   [Bool]$HttpSet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of HTTP get operations. If false, disable auditing of HTTP get operations. If not specified, the setting will remain unchanged")]
   [Bool]$HttpGet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of SNMP set operations. If false, disable auditing of SNMP set operations. If not specified, the setting will remain unchanged")]
   [Bool]$SnmpSet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of SNMP get operations. If false, disable auditing of SNMP get operations. If not specified, the setting will remain unchanged")]
   [Bool]$SnmpGet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of ONTAPI set operations. If false, disable auditing of ONTAPI set operations. If not specified, the setting will remain unchanged")]
   [Bool]$OntapiSet,
   [Parameter(Mandatory=$False, HelpMessage="If true, enable auditing of ONTAPI get operations. If false, disable auditing of ONTAPI get operations. If not specified, the setting will remain unchanged")]
   [Bool]$OntapiGet,
   [Parameter(Mandatory=$False, HelpMessage="The maximum number of ZAPI retry attempts")]
   [Int]$ZapiRetryCount
)
#'------------------------------------------------------------------------------
#'Connect to the cluster.
#'------------------------------------------------------------------------------
Connect-WfaCluster -Node $Cluster
#'------------------------------------------------------------------------------
#'Set the command to enable security auditing.
#'------------------------------------------------------------------------------
[Int]$versionComparisionValue900 = Compare-OntapVersions $Version "9.0.0"
[String]$command = "Set-NcAudit "
If($CliSet){
   If($versionComparisionValue900 -ne -1){
      Get-WFALogger -Warn -Message "The ""CliSet"" parameter is not supported in Data ONTAP 9.0 and later. Ignoring value"
   }Else{
      [String]$command += "-CliSet `$True "
   }
}
If($CliGet){
   [String]$command += "-CliGet `$True " 
}
If($HttpSet){
   If($versionComparisionValue900 -ne -1){
      Get-WFALogger -Warn -Message "The ""HttpSet"" parameter is not supported in Data ONTAP 9.0 and later. Ignoring value"
   }Else{
      [String]$command += "-HttpSet `$True "
   }
}
If($HttpGet){
   [String]$command += "-HttpGet `$True " 
}
If($SnmpSet){
   If($versionComparisionValue900 -ne -1){
      Get-WFALogger -Warn -Message "The ""SnmpSet"" parameter is not supported in Data ONTAP 9.0 and later. Ignoring value"
   }Else{
      [String]$command += "-SnmpSet `$True " 
   }
}
If($SnmpGet){
   [String]$command += "-SnmpGet `$True " 
}
If($OntapiSet){
   If($versionComparisionValue900 -ne -1){
      Get-WFALogger -Warn -Message "The ""OntapiSet"" parameter is not supported in Data ONTAP 9.0 and later. Ignoring value"
   }Else{
      [String]$command += "-OntapiSet `$True "
   }
}
If($OntapiGet){
   [String]$command += "-OntapiGet `$True " 
}
If($ZapiRetryCount){
   [String]$command += "-ZapiRetryCount $ZapiRetryCount " 
}
[String]$command += "-ErrorAction Stop"
#'------------------------------------------------------------------------------
#'Ensure an input parameter was providied.
#'------------------------------------------------------------------------------
If(($command.Contains("true")) -Or ($command.Contains("false"))){
   [Bool]$enable = $True
}Else{
   [Bool]$enable = $False
}
#'------------------------------------------------------------------------------
#'Set security auditing.
#'------------------------------------------------------------------------------
If($enable){
   Get-WFALogger -Info -message "Setting security audit on cluster ""$Cluster"" running DataONTAP version ""$Version"""
   Try{
      Invoke-Expression -Command $command -ErrorAction Stop
      Get-WFALogger -Info -Message "Executed Command`: $command"
   }Catch{
      Get-WFALogger -Error -Message $("Failed Executing Command`: $command. Error " + $_.Exception.Message)
      Throw  "Failed setting security audit on cluster ""$Cluster"""
   }
}Else{
   Get-WFALogger -Info -Message "No input parameters were provide to set security auditing on cluster ""$Cluster"" running DataONTAP version ""$Version"""
}
#'------------------------------------------------------------------------------

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Vikramjeet_Singh · ‎2019-03-19

Thanks Mbeattie, you were right SET command is not supported in 9.0, my bad. Should have looked carefully at Get-NcAudit parameters, silly mistake.

Thanks again 🙂