Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

Cannot Connect to Cluster Via PowerShell in OnTAP 9.3

TMADOCTHOMAS

I am at a division site for one week setting up a new 2620. This is our first time to use OnTAP 9.3 and I think that might be our issue. I have to be able to script throttling of SnapMirror jobs from our remote offices or the jobs slam the local network, however I've hit a major roadblock and can't get past it. What's worse, I was just told NetApp Support doesn't support the PowerShell Toolkit.

 

Here is the issue. I've set credentials for the new cluster using Add-NcCredential. This works without error. I show the list of the current cache and it shows all of our filers and clusters, including the new one. I've added the domain account used for credentials as an account on the filer and assigned it ontapi, http, and ssh, all as admin. I've also enabled http in system web services. Despite all of this, when I enter Connect-NcController -Name <cluster>, I get the error "Incorrect credentials". I have logged in to the server with the service account I am using and I get the same thing. We are on PowerShell Toolkit 4.5 P1, and we do have Putty 0.70 64-bit installed on the D drive.

 

I have tried everything I can think of including comparing settings between other systems where this is working fine. The only difference is OS - the others are 9.1 or 9.2 Anyone have any ideas?

1 ACCEPTED SOLUTION

mbeattie

Hi Thomas,

 

It's definately possible to connect to ONTAP 9.3 using the PSTK. Did you create a domain tunnel on the new cluster to ensure you can authenticate using a domain account? Can you SSH to cluster as the domain account and does it work manually using:

 

Connect-NcController -Name $cluster -HTTPS -Credential (Get-Credential) -ErrorAction Stop

Assuming the cluster LIF IP address is resolvable in DNS? Also assuming that you've checked the cached credentials are valid? EG

 

PS C:\> Add-NcCredential -Controller cluster1.testlab.local -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

Name                   Credential                                HostUser
----                   ----------                                --------
cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie


PS C:\> $credentials = Get-NcCredential -Controller cluster1.testlab.local
PS C:\> $credentials

Name                   Credential                                HostUser
----                   ----------                                --------
cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie


PS C:\> $credentials.Credential

UserName                     Password
--------                     --------
admin    System.Security.SecureString

PS C:\> $credentials.Credential.GetNetworkCredential().Password
N0tMyP@ssW0rd!:-}

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

5 REPLIES 5

TMADOCTHOMAS

@mbeattie, the domain authentication tunnel was the issue. Thank you again!

JGPSHNTAP

Uh. makes sense... 

TMADOCTHOMAS

Thank you both for your responses.

 

@mbeattie, I believe you have pointed out my issue. I knew it would be something I overlooked. I have not yet set up a domain tunnel because the CIFS server won't be cutover to the new system until tonight. So ... of course a domain account that I added isn't authenticating yet :\. Argh! Thank you for saving me hours more of head scratching. I'll update this thread after we cutover tonight to verify that resolved the issue (hopefully).

mbeattie

Hi Thomas,

 

It's definately possible to connect to ONTAP 9.3 using the PSTK. Did you create a domain tunnel on the new cluster to ensure you can authenticate using a domain account? Can you SSH to cluster as the domain account and does it work manually using:

 

Connect-NcController -Name $cluster -HTTPS -Credential (Get-Credential) -ErrorAction Stop

Assuming the cluster LIF IP address is resolvable in DNS? Also assuming that you've checked the cached credentials are valid? EG

 

PS C:\> Add-NcCredential -Controller cluster1.testlab.local -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

Name                   Credential                                HostUser
----                   ----------                                --------
cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie


PS C:\> $credentials = Get-NcCredential -Controller cluster1.testlab.local
PS C:\> $credentials

Name                   Credential                                HostUser
----                   ----------                                --------
cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie


PS C:\> $credentials.Credential

UserName                     Password
--------                     --------
admin    System.Security.SecureString

PS C:\> $credentials.Credential.GetNetworkCredential().Password
N0tMyP@ssW0rd!:-}

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

JGPSHNTAP

We 100% use ps toolkit on 9.3,9.4,9.1,9.2 -  

 

 

 

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public