ONTAP Discussions
ONTAP Discussions
I am at a division site for one week setting up a new 2620. This is our first time to use OnTAP 9.3 and I think that might be our issue. I have to be able to script throttling of SnapMirror jobs from our remote offices or the jobs slam the local network, however I've hit a major roadblock and can't get past it. What's worse, I was just told NetApp Support doesn't support the PowerShell Toolkit.
Here is the issue. I've set credentials for the new cluster using Add-NcCredential. This works without error. I show the list of the current cache and it shows all of our filers and clusters, including the new one. I've added the domain account used for credentials as an account on the filer and assigned it ontapi, http, and ssh, all as admin. I've also enabled http in system web services. Despite all of this, when I enter Connect-NcController -Name <cluster>, I get the error "Incorrect credentials". I have logged in to the server with the service account I am using and I get the same thing. We are on PowerShell Toolkit 4.5 P1, and we do have Putty 0.70 64-bit installed on the D drive.
I have tried everything I can think of including comparing settings between other systems where this is working fine. The only difference is OS - the others are 9.1 or 9.2 Anyone have any ideas?
Solved! See The Solution
Hi Thomas,
It's definately possible to connect to ONTAP 9.3 using the PSTK. Did you create a domain tunnel on the new cluster to ensure you can authenticate using a domain account? Can you SSH to cluster as the domain account and does it work manually using:
Connect-NcController -Name $cluster -HTTPS -Credential (Get-Credential) -ErrorAction Stop
Assuming the cluster LIF IP address is resolvable in DNS? Also assuming that you've checked the cached credentials are valid? EG
PS C:\> Add-NcCredential -Controller cluster1.testlab.local -Credential (Get-Credential) cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential Name Credential HostUser ---- ---------- -------- cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie PS C:\> $credentials = Get-NcCredential -Controller cluster1.testlab.local PS C:\> $credentials Name Credential HostUser ---- ---------- -------- cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie PS C:\> $credentials.Credential UserName Password -------- -------- admin System.Security.SecureString PS C:\> $credentials.Credential.GetNetworkCredential().Password N0tMyP@ssW0rd!:-}
/Matt
Hi Thomas,
It's definately possible to connect to ONTAP 9.3 using the PSTK. Did you create a domain tunnel on the new cluster to ensure you can authenticate using a domain account? Can you SSH to cluster as the domain account and does it work manually using:
Connect-NcController -Name $cluster -HTTPS -Credential (Get-Credential) -ErrorAction Stop
Assuming the cluster LIF IP address is resolvable in DNS? Also assuming that you've checked the cached credentials are valid? EG
PS C:\> Add-NcCredential -Controller cluster1.testlab.local -Credential (Get-Credential) cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential Name Credential HostUser ---- ---------- -------- cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie PS C:\> $credentials = Get-NcCredential -Controller cluster1.testlab.local PS C:\> $credentials Name Credential HostUser ---- ---------- -------- cluster1.testlab.local System.Management.Automation.PSCredential TESTLAB\mbeattie PS C:\> $credentials.Credential UserName Password -------- -------- admin System.Security.SecureString PS C:\> $credentials.Credential.GetNetworkCredential().Password N0tMyP@ssW0rd!:-}
/Matt
We 100% use ps toolkit on 9.3,9.4,9.1,9.2 -
Thank you both for your responses.
@mbeattie, I believe you have pointed out my issue. I knew it would be something I overlooked. I have not yet set up a domain tunnel because the CIFS server won't be cutover to the new system until tonight. So ... of course a domain account that I added isn't authenticating yet :\. Argh! Thank you for saving me hours more of head scratching. I'll update this thread after we cutover tonight to verify that resolved the issue (hopefully).
@mbeattie, the domain authentication tunnel was the issue. Thank you again!
Uh. makes sense...