Microsoft Virtualization Discussions
Microsoft Virtualization Discussions
I'm using DataONTAP module version 1.2.0.67, and I'm seeing an issue with Connect-NaController when a PSCredential object is supplied.
I'm able to connect to a controller using the following syntax:
Connect-NaController "controllername" (I launched PS as the same domain user that has access to the controller via Active Directory)
I get an API Invoke failed when I supply those same credentials to a Get-Credential, or the root user/password credentials to Get-Credential. I've verified the root user/password credentials work by SSH'ing into the controller, which takes a domain authentication issue out of the question.
Any ideas?
Solved! See The Solution
Toolkit 1.3, posted today, does not use the system HTTP proxy settings. Hence the workaround should no longer be necessary.
Hi,
How exactly are you providing the credentials?
I've found that the API invoke errors are normally created when the expected paremeter is not a string type. Have a look at this discussion which provides some sample code for dealing with a similar error.
I am providing the credentials via Get-Credential. For example:
$netapp = "filer.domain.com"
$nacred = Get-Credential
$nacontroller = Connect-NaController -Name $netapp -Credential $nacred
I get the API Invoke failed when trying to connect, not after connecting and attempting to run further commands.
Thanks for your help!
Damian
Hello, Damian. I don't see anything inherently wrong with your code, and it worked for me on multiple systems (Win 2008 R2 and Win 7, ONTAP 7.3.3). A few thoughts:
Please let us know if you figure it out.
I am having the same issue. Tried http, https, differnet user, hostname, ipaddress, etc. no luck.
From 2003 server to filer 7.3.x
PS C:\Documents and Settings\me> Connect-NaController "x.x.x.x" -Credential (Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<< "x.x.x.x" -Credential (Get-Credential)
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
I have re-tested Toolkit 1.2 with Windows 2003 (32-bit), and RPC / HTTP / HTTPS all worked here.
If RPC works and HTTP does not, this sounds more like a network or firewall issue. You could check whether HTTP access to the controller is working at all by pointing a browser from the Windows host to http://<address>/na_admin/.
You can also enable debug output in the PowerShell Toolkit as follows:
This would allow us to see the XML interaction with the controller. A WireShark trace might also be useful.
I can get to http://<FilerName>/na_admin/
from PowerShell:
2010-11-03 17:37:53,062 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: Connect-NaController $Filer -Credential $cred
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 17:37:53,140 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 17:37:53,140 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:53,796 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>
2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 17:37:54,202 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 17:37:54,202 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-03 17:37:54,218 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><
system-get-ontapi-version /></netapp>
Connect-NaController : API invoke failed.
At line:1 char:21
+ Connect-NaController <<<< $Filer -Credential $cred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
Clinton, thanks for your help with this.
I can connect to my filer over HTTP via http://filer.domain.com/na_admin, and HTTPS via https://filer.domain.com/na_admin (after accepting the default SSL warning).
Interestingly enough, as you can see below, when I run PowerShell in the context of my domain admin credentials, I'm unable to pass a PSCredential object. I can connect without it, since my domain admin account has access to the filer, since it was joined to AD for CIFS purposes. However, when I use my non-domain admin user account, I can pass in a PSCredential object. Attempting to connect without a -Credential parameter fails since my non-domain admin user account doesn't have the capability to invoke API system-get-ontapi-version.
Here's the debug output you asked for.
**************************************************************************************
Comment: creating the PSCredential object
PS C:\Support\Scripts\VMware> $nacred = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Comment: Attempting to connect using -Credential
PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,799 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred
2010-11-03 15:57:41,872 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:57:41,873 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:57:41,889 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,273 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:57:42,431 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:57:42,432 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:57:42,435 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
Comment: Attempting to connect without -Credential (PoSH CLI launched using domain admin credentials, so my existing creds pass through)
PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,526 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com"
2010-11-03 15:58:24,532 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 0
2010-11-03 15:58:24,534 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to RPC
2010-11-03 15:58:24,537 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via RPC
2010-11-03 15:58:24,545 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
2010-11-03 15:58:29,855 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><major-version>1</major-version><minor-version>12</minor-version></results>
2010-11-03 15:58:30,171 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAPI version is 1.12
2010-11-03 15:58:30,400 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-version /></netapp>
2010-11-03 15:58:31,356 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><version>NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010</version></results>
2010-11-03 15:58:31,588 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to filer.domain.com, ONTAP version is NetApp Release 7.3.3: Thu Mar 11 22:43:52 PST 2010
Comment: Trying with -Credential again and -ForceSecure
PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,174 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceSecure
2010-11-03 15:59:06,178 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-03 15:59:06,180 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-03 15:59:06,184 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:06,190 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred -ForceSecure
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
Comment: -Credential with -ForceUnsecure
PS C:\Support\Scripts\VMware> $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,320 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: $nacontroller = Connect-NaController "filer.domain.com" -Credential $nacred -ForceUnsecure
2010-11-03 15:59:12,327 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 80
2010-11-03 15:59:12,328 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTP
2010-11-03 15:59:12,332 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to filer.domain.com via HTTPS
2010-11-03 15:59:12,338 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< "filer.domain.com" -Credential $nacred -ForceUnsecure
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
Thanks to both of you for the debug output. I don't see anything obvious, but we have some ideas. Would one or both of you please try a couple more things?
1. Using the RPC connection, capture and post the output of Get-NaOption *http* *hosts*
2. See if there is any inner exception. To do this, reproduce the HTTP problem using Connect-NaController, then immediately issue $error[0].Exception.InnerException
Connecting using RPC:
ClusterConstraint Name Value
----------------- ---- -----
none httpd.access legacy
none httpd.admin.access legacy
none httpd.admin.enable on
none httpd.admin.hostsequiv.enable off
none httpd.admin.hostsequiv.enable off
none httpd.admin.max_connections 512
none httpd.admin.ssl.enable on
none httpd.admin.top-page.authentication on
none httpd.autoindex.enable off
none httpd.bypass_traverse_checking off
none httpd.enable off
none httpd.ipv6.enable off
only_one httpd.log.format common
none httpd.method.trace.enable off
none httpd.rootdir XXX
only_one httpd.timeout 300
only_one httpd.timewait.enable off
same_required trusted.hosts *
Attempting to connect while passing credentials:
PS C:\Support\Scripts\VMware\Production> $cred = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Support\Scripts\VMware\Production> $nacontroller = Connect-NaController -name "filer.domain.com" -Credential $cred
Connect-NaController : API invoke failed.
At line:1 char:37
+ $nacontroller = Connect-NaController <<<< -name "filer.domain.com" -Credential $cred
+ CategoryInfo : NotSpecified: (:) [Connect-NaController], NaException
+ FullyQualifiedErrorId : NetApp.Ontapi.NaException,DataONTAP.PowerShell.SDK.ConnectNaController
PS C:\Support\Scripts\VMware\Production> $error[0].Exception.InnerException
The remote server returned an error: (407) Proxy Authentication Required.
Now we're getting somewhere...
Sorry for the multi replies. I went into IE and uncheck my proxy setting. It seems to work. Of course now I canot get onto the internet. Is there a way to bypass the proxy (i do have the exclusion in IE also..did not work)?
my output:
PS C:\Documents and Settings\me> Connect-NaController $Filer -Credential $cred
2010-11-04 14:40:43,317 INFO DataONTAP.PowerShell.SDK.ConnectNaController - Cmdlet invocation: Connect-NaController $Filer -Credential $cred
2010-11-04 14:40:43,380 DEBUG NetApp.Ontapi.NaServer - NaServer port changed to 443
2010-11-04 14:40:43,380 DEBUG NetApp.Ontapi.NaServer - NaServer Protocol changed to HTTPS
2010-11-04 14:40:43,380 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connecting to x.x.x.x via HTTPS
2010-11-04 14:40:44,114 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-ontapi-version /></netapp>
2010-11-04 14:40:44,739 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><major-version>1</major-version><minor-version>9</minor-version></results>
2010-11-04 14:40:45,505 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to x.x.x.x, ONTAPI versionis 1.9
2010-11-04 14:40:46,005 DEBUG NetApp.Ontapi.NaServer - <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-get-version /></netapp>
2010-11-04 14:40:46,130 DEBUG NetApp.Ontapi.NaServer - <results status="passed"><version>NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009</version></results>
2010-11-04 14:40:46,567 DEBUG DataONTAP.PowerShell.SDK.ConnectNaController - Connected to x.x.x.x, ONTAP version is NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009
Name Address Ontapi Version
---- ------- ------ -------
x.x.x.x x.x.x.x 1.9 NetApp Release 7.3.1.1P9: Thu Sep 17 11:19:53 PDT 2009
Possible workaround.
We did wireshark and found that it uses the ip address for the filer even if we use the name of the filer. Therefore it was not picked up on our proxy exception (*.domain.com). When we added the ip address for the filer to the proxy exception it works fine.
OK, thanks to both of you. I can confirm the Toolkit currently uses the system default HTTP proxy setting that is set in Internet Explorer. It seems we should change the Toolkit to never use a proxy. In the meantime, please try this potential workaround before invoking Connect-NaController:
[System.Net.WebRequest]::DefaultWebProxy = $null
[System.Net.WebRequest]::DefaultWebProxy = $null
Works like a champ, Clinton. Thanks for the help!
Toolkit 1.3, posted today, does not use the system HTTP proxy settings. Hence the workaround should no longer be necessary.
I know RPC will not work in my netowork so I did not try that one.
I get:
PS C:\Documents and Settings\me> $error[0].Exception.InnerException
The remote server returned an error: (403) Forbidden.
Which Is like the proxy issue. I will disable my proxy and see what happen.