Microsoft Virtualization Discussions

API invoke failed

Running PSTK 3.2 on Windows 2008 R2 servers.

Many different PowerShell scripts using module DataOnTap.

Everything has been fine, running like clockwork on multiple servers.

Last night was production patching night and the following were installed:


- MS16-114: Description of the security update for Windows SMBv1 Server: September 13, 2016
- September 2016 time zone change for Novosibirsk
- MS16-111: Description of the security update for Windows Kernel: September 13, 2016
- MS16-116: Description of the security update for OLE Automation for VBScript Scripting Engine: September 13, 2016
- MS16-106: Description of the security update for Microsoft Graphics Component: September 13, 2016
- MS16-104: Security update for Internet Explorer: September 13, 2016



Today, on multiple servers, all of my powershell scripts are failing due to a failure in Connect-NaController:


PS C:\Users\admin> Connect-NaController -HTTPS server01
Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<< -HTTPS server01
+ CategoryInfo : InvalidResult: (msfcnf01:NaController) [Connect-NaController], NaException
+ FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController


Connecting via RPC works fine but we use HTTPS.


Any help would be greatly appreciated.


Re: API invoke failed



This is what I get when trying the same with PSTK 4.2 (latest version, just downloaded today)



PS C:\Users\admin> Connect-NaController -HTTPS server01
Connect-NaController : Connection to server01 using HTTPS failed - The request was aborted: Could not create SSL/TLS
secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At line:1 char:1
+ Connect-NaController -HTTPS server01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (msfcnf01:NaController) [Connect-NaController], NaConnectionSSLException
+ FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController



OnCommand System manager to the same exact filers is working fine from the same server that is exhibiting the PowerShell failures above.

Re: API invoke failed

Another update:


The same exact error occurs when running PSTK 3.2 or 4.2 from Windows 7.


Fortunately, I had a snapshot from a few days ago on my Windows 7 VM, before the last round of Microsoft patches.


Restore to that VM snapshot and the PSTK connect-nacontroller -https works perfectly.


So, this is definitely the result of recent Microsoft patches.


Would be surprised if more people weren't experiencing this.

Re: API invoke failed

We uninstalled the Microsoft patches on the server and that resolved the PowerShell ToolKit 3.2 connect-nacontroller.


We are now going to reinstall the patches, one-by-one, with reboots in-between, to figure out exactly which Microsoft patch is responsible.

Re: API invoke failed



Found the MS patch responsible:

- MS16-111: Description of the security update for Windows Kernel: September 13, 2016


So, any ideas how to mitigate this while keeing KB3175024 installed?

Re: API invoke failed

Good find.


I ran into the same problem and worked around it that same way (removing the KB3175024 patch).

Re: API invoke failed


We had same problem and see that after updates that connect did not work.


We did some troubleshooting and it seems that on the controllers the key length was only 512.

This should be at least 2048 for security reasons.


I advice to renew certificates with key lenght to at least 2048.

After install certificate you will be able to connect again.

Re: API invoke failed

I have a ticket in with our Microsoft TAM to provide a work-around so that we can re-apply KB3175024.


When I receive the work-around I'll post it here.

Re: API invoke failed



could you share/provide more details about the troubleshooting you've done?

I'm running PSTK 4.0 and have the hotfixes installed and have not a problem connecting to the filer.


Kind regards,




Re: API invoke failed


This is the update that is causing the problem:


This update blocks certificates with keylenght 512.


For Windows 7 and Windows Server 2008 R2, this update is included in security update 3175024.


For doing check or renewal on NetApp filer :


Hope this helps


Re: API invoke failed

We are running 7-Mode but I can see that the private key uses a 512 bit keylength using:


keymgr list key


Unfortunately, refreshing certificates on 22 NetApp filers spread across the country is a daunting task.


I am still waiting for a response from our Microsoft TAM on a way to allow the 512 bit keylength either globally or for specified, trusted hosts.

Re: API invoke failed

I have finally received a working registry work-around from Microsoft. Here it is:





The difference versus the non-working registry work-around is "PKCS" key versus previous "DiffieHellman" key

View solution in original post

Re: API invoke failed


What Microsoft is doing with adjusting the registry key is a workarround so you kan work for now with certificates who are build with a keylength of 512.


If you want a more secure and lasting solution i suggest you create new certificates with keylength at least 1024 (2048 or 4096 are even better).

This will prevent a new Microsoft update to change the key again and some dissapointment in future.


Greetz Léon Zweers

Re: API invoke failed

Yes, thank you for that.


I am aware that the registry key is simply loosening the restriction on the minimum key length.


That is obvious from the name of the registry key.


However, it will take some time to update 22 production NetApp filers with higher keylength certificates.


This registry key allows us to work-around the problem in the meantime.





Re: API invoke failed

thank you, thank you, thank you!
thought I was driving mad! searched my ass of as suddenly all my scripts failed.
Just to add in case anyone is asking: dword is in hex, no reboot required.




Cloud Volumes ONTAP
Review Banner
All Community Forums