The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
After PowerShell Agent is installed and running, add it to Cisco UCS Director. Ensure to set up the virtual account (for example, an SCVMM account) to use the PowerShell Agent for inventory collection and other management functions.
Verify connectivity between Cisco UCS Director and the PowerShell Agent.
After the PowerShell Agent is added, you can check the connectivity between Cisco UCS Director and the PowerShell Agent.
Step 1 | Choose . |
Step 2 | On the Virtual Accounts page, click PowerShell Agents. |
Step 3 | From the More Actions drop-down list, choose Test Connection.
Cisco UCS Director displays a success message if it can communicate with the PowerShell Agent. If Cisco UCS Director cannot communicate with the PowerShell Agent, see Troubleshooting Connectivity with Cisco UCS Director. |
Execute the Cisco UCS Director PowerShell command.
You can experience a failed test connection with Cisco UCS Director. This problem can occur even though you successfully installed and configured the PowerShell Agent, and there is no issue with the network connectivity between PowerShell Agent and Cisco UCS Director.
Note | This problem can happen with Windows Server 2012 R2 or other versions that use advanced cipher suites for https communication. |
Check the PowerShell Agent log files in the PowerShell Agent server, for an SSPI failed with inner exception error. See sample error message:
2014-08-20 14:44:16,832 [6] ERROR cuic.ClientConnection[null] - Exception: A call to SSPI failed, see inner exception.
2014-08-2014:44:16,832 [6] DEBUG cuic.ClientConnection[null] - Inner exception: The message received was unexpected or badly formatted.
2014-08-2014:44:16,832 [6] DEBUG cuic.ClientConnection[null] - Authentication failed - closing the connection.
The test connection fails because of the Microsoft update, in which, new TLS cipher suites are added and cipher suite priorities are changed in Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2. See Microsoft kb article 2929281 for further information on this update.
To resolve the problem, modify the SSL cipher suite group policy setting. Follow the listed steps:
At a command prompt, enter gpedit.msc to open your group policy editor.
Expand SSL Configuration Settings.
, and then clickUnder SSL Configuration Settings, click the SSL Cipher Suite Order setting.
In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
Follow the instructions labeled How to modify this setting.
It is necessary to restart the computer after modifying this setting for the changes to take effect.
After you have added the PowerShell Agent to Cisco UCS Director, you can set the authentication mechanism by creating a workflow with Execute PowerShell Command task.
The Execute PowerShell Command Task establishes a remote PowerShell session from PowerShell Agent to the target server to execute commands on that server. A Default authentication mechanism is currently used to set up the session. With this release, support is also extended to the following types of authentication mechanisms:
Basic Authentication—Simple mechanism to transmit username and password to a web server or target machine in clear text.
Kerberos Authentication—Mutual authentication process that uses encrypted keys between a client and a server machine. This protocol is selected to authenticate a domain account such that both the user identity and server identity are guaranteed without sending of any reusable credentials.
Negotiate Authentication—Both the client and the server compute a session key from the user password without ever exchanging the password itself. It is selected for local computer accounts and is best suited for intranet web authentication.
Negotiate Authentication with Implicit Credentials—Assigns an SSL certificate to a target server to guarantee both the user and the server identity. A client trusted Certificate Authority issues the SSL certificate.
CredSSP Authentication—Intended for environments where Kerberos delegation cannot be used. To use CredSSP authentication, delegate the PowerShell Agent as a CredSSP client for the target machine.
Note | Multi-hop support in Windows Remote Management (WinRM) uses CredSSP for authentication. Since PowerShell is built on top of WinRM, you can use CredSSP to perform multi-hop authentication. |
When you add a new workflow for the Execute PowerShell Command Task, one of the input fields is Authentication Mechanism. It provides you an option to choose the type of authentication you wish to set-up for the remote session.
For detailed steps on how to execute the task and set your authentication between the PowerShell Agent and target server, see Executing PowerShell Commands.