Solved: Re: Connect-NaController -Credential bug?

damiankarlson · ‎2010-11-02

I'm using DataONTAP module version 1.2.0.67, and I'm seeing an issue with Connect-NaController when a PSCredential object is supplied.

I'm able to connect to a controller using the following syntax:

Connect-NaController "controllername" (I launched PS as the same domain user that has access to the controller via Active Directory)

I get an API Invoke failed when I supply those same credentials to a Get-Credential, or the root user/password credentials to Get-Credential. I've verified the root user/password credentials work by SSH'ing into the controller, which takes a domain authentication issue out of the question.

Any ideas?

cknight · ‎2011-01-31

Toolkit 1.3, posted today, does not use the system HTTP proxy settings. Hence the workaround should no longer be necessary.

View solution in original post

panayigreg · ‎2010-11-03

Hi,

How exactly are you providing the credentials?

I've found that the API invoke errors are normally created when the expected paremeter is not a string type. Have a look at this discussion which provides some sample code for dealing with a similar error.

http://communities.netapp.com/message/40826#40826

damiankarlson · ‎2010-11-03

I am providing the credentials via Get-Credential. For example:

$netapp = "filer.domain.com"

$nacred = Get-Credential

$nacontroller = Connect-NaController -Name $netapp -Credential $nacred

I get the API Invoke failed when trying to connect, not after connecting and attempting to run further commands.

Thanks for your help!

Damian

cknight · ‎2010-11-03

Hello, Damian. I don't see anything inherently wrong with your code, and it worked for me on multiple systems (Win 2008 R2 and Win 7, ONTAP 7.3.3). A few thoughts:

If you are using the fully-qualified domain name of the storage controller, make sure that is resolvable from your Windows host.
Try using an IP address instead.
Connect-NaController does make a couple of API calls to validate the connection (system-get-version and system-get-ontapi-version). Ensure the user whose credentials you are using has permission to call those APIs.
Try both HTTPS and HTTP via the ForceSecure and ForceUnsecure switches, respectively.

Please let us know if you figure it out.

rharveyva · ‎2010-11-03

I am having the same issue. Tried http, https, differnet user, hostname, ipaddress, etc. no luck.

From 2003 server to filer 7.3.x

PS C:\Documents and Settings\me> Connect-NaController "x.x.x.x" -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<< "x.x.x.x" -Credential (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

cknight · ‎2010-11-03

I have re-tested Toolkit 1.2 with Windows 2003 (32-bit), and RPC / HTTP / HTTPS all worked here.

If RPC works and HTTP does not, this sounds more like a network or firewall issue. You could check whether HTTP access to the controller is working at all by pointing a browser from the Windows host to http://<address>/na_admin/.

You can also enable debug output in the PowerShell Toolkit as follows:

In Windows Explorer, navigate to the PowerShell modules directory where the Toolkit is installed. The system location is usually C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DataONTAP.
Open LogSettings.xml in a text editor.
Change the root logger level from OFF to DEBUG and save the file.
Restart PowerShell.

This would allow us to see the XML interaction with the controller. A WireShark trace might also be useful.

rharveyva · ‎2010-11-03

I can get to http://<FilerName>/na_admin/

from PowerShell:

2010-11-03 17:37:53,062 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: Connect-NaController $Filer -Credential $cred
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 17:37:53,140 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:53,796 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>

2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 17:37:54,202 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:54,218 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<< $Filer -Credential $cred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

damiankarlson · ‎2010-11-03

Clinton, thanks for your help with this.

I can connect to my filer over HTTP via http://filer.domain.com/na_admin, and HTTPS via https://filer.domain.com/na_admin (after accepting the default SSL warning).

Interestingly enough, as you can see below, when I run PowerShell in the context of my domain admin credentials, I'm unable to pass a PSCredential object. I can connect without it, since my domain admin account has access to the filer, since it was joined to AD for CIFS purposes. However, when I use my non-domain admin user account, I can pass in a PSCredential object. Attempting to connect without a -Credential parameter fails since my non-domain admin user account doesn't have the capability to invoke API system-get-ontapi-version.

Here's the debug output you asked for.

**************************************************************************************

Comment: creating the PSCredential object

PS C:\Support\Scripts\VMware> $nacred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

Comment: Attempting to connect using -Credential

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,799 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,872 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:57:41,873 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:57:41,889 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,273 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:57:42,432 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,435 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Comment: Attempting to connect without -Credential (PoSH CLI launched using domain admin credentials, so my existing creds pass through)

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,526 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,532 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 0
2010-11-03 15:58:24,534 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to RPC
2010-11-03 15:58:24,537 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via RPC
2010-11-03 15:58:24,545 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

2010-11-03 15:58:29,855 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><major-version>1</major-version><minor-version>12</minor-version></results>
2010-11-03 15:58:30,171 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAPI version is 1.12
2010-11-03 15:58:30,400 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-version /></netapp>

2010-11-03 15:58:31,356 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><version>NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010</version></results>
2010-11-03 15:58:31,588 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAP version is NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010

Comment: Trying with -Credential again and -ForceSecure

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,174 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,178 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:59:06,180 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:59:06,184 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:06,190 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred -ForceSecure
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

Comment: -Credential with -ForceUnsecure

PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,320 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,327 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:59:12,328 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:59:12,332 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:12,338 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred -ForceUnsecure
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

cknight · ‎2010-11-04

Thanks to both of you for the debug output. I don't see anything obvious, but we have some ideas. Would one or both of you please try a couple more things?

1. Using the RPC connection, capture and post the output of Get-NaOption *http* *hosts*

2. See if there is any inner exception. To do this, reproduce the HTTP problem using Connect-NaController, then immediately issue $error[0].Exception.InnerException

damiankarlson · ‎2010-11-04

Connecting using RPC:

ClusterConstraint                       Name                                    Value
-----------------                       ----                                    -----
none                                    httpd.access                            legacy
none                                    httpd.admin.access                      legacy
none                                    httpd.admin.enable                      on
none                                    httpd.admin.hostsequiv.enable           off
none                                    httpd.admin.hostsequiv.enable           off
none                                    httpd.admin.max_connections             512
none                                    httpd.admin.ssl.enable                  on
none                                    httpd.admin.top-page.authentication     on
none                                    httpd.autoindex.enable                  off
none                                    httpd.bypass_traverse_checking          off
none                                    httpd.enable                            off
none                                    httpd.ipv6.enable                       off
only_one                                httpd.log.format                        common
none                                    httpd.method.trace.enable               off
none                                    httpd.rootdir                           XXX
only_one                                httpd.timeout                           300
only_one                                httpd.timewait.enable                   off
same_required                           trusted.hosts                           *

Attempting to connect while passing credentials:

PS C:\Support\Scripts\VMware\Production> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Support\Scripts\VMware\Production> $nacontroller = Connect-NaController -name "filer.domain.com" -Credential $cred
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< -name "filer.domain.com" -Credential $cred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController

PS C:\Support\Scripts\VMware\Production> $error[0].Exception.InnerException
The remote server returned an error: (407) Proxy Authentication Required.

Now we're getting somewhere...

rharveyva · ‎2010-11-04

Sorry for the multi replies. I went into IE and uncheck my proxy setting. It seems to work. Of course now I canot get onto the internet. Is there a way to bypass the proxy (i do have the exclusion in IE also..did not work)?

my output:

PS C:\Documents and Settings\me> Connect-NaController $Filer -Credential $cred
2010-11-04 14:40:43,317 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: Connect-NaController $Filer -Credential $cred
2010-11-04 14:40:43,380 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-04 14:40:43,380 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-04 14:40:43,380 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-04 14:40:44,114 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>

2010-11-04 14:40:44,739 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><major-version>1</major-version><minor-version>9</minor-version></results>
2010-11-04 14:40:45,505 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to x.x.x.x, ONTAPI versionis 1.9
2010-11-04 14:40:46,005 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-version /></netapp>

2010-11-04 14:40:46,130 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><version>NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009</version></results>
2010-11-04 14:40:46,567 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to x.x.x.x, ONTAP version is NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009

Name                 Address           Ontapi   Version
----                 -------           ------   -------
x.x.x.x        x.x.x.x     1.9      NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009

rharveyva · ‎2010-11-04

Possible workaround.

We did wireshark and found that it uses the ip address for the filer even if we use the name of the filer. Therefore it was not picked up on our proxy exception (*.domain.com). When we added the ip address for the filer to the proxy exception it works fine.

cknight · ‎2010-11-04

OK, thanks to both of you. I can confirm the Toolkit currently uses the system default HTTP proxy setting that is set in Internet Explorer. It seems we should change the Toolkit to never use a proxy. In the meantime, please try this potential workaround before invoking Connect-NaController:

[System.Net.WebRequest]::DefaultWebProxy = $null

damiankarlson · ‎2010-11-04

[System.Net.WebRequest]::DefaultWebProxy = $null

Works like a champ, Clinton. Thanks for the help!

cknight · ‎2011-01-31

Toolkit 1.3, posted today, does not use the system HTTP proxy settings. Hence the workaround should no longer be necessary.

rharveyva · ‎2010-11-04

I know RPC will not work in my netowork so I did not try that one.

I get:

PS C:\Documents and Settings\me> $error[0].Exception.InnerException
The remote server returned an error: (403) Forbidden.

Which Is like the proxy issue. I will disable my proxy and see what happen.