PowerCLI, vCenter, VMware

Copy-VMGuestFile returns 403 Forbidden error

Got this error just today and couldn’t figure out why. I was trying to copy from my management server to a test VM with no network connectivity, and was receiving the following error:

Copy-VMGuestFile : 5/01/2017 11:47:40 AM Copy-VMGuestFile The remote server returned an error: (403) Forbidden. 
At line:1 char:1
+ Copy-VMGuestFile -Source "REDACTED" -Destination " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [Copy-VMGuestFile], ViError
 + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_UploadFileToGuest_UploadError,VMware.VimAutomation.ViCore.Cmdlets.Commands.CopyVMGuestFile

My privileges and network connectivity to vCenter and the ESXi hosts was looking good. Until I tripled checked my network port access to the ESXi host.

I was missing port 903 from the management server to the ESXi host the VM was sitting on. Opening that up allowed me to execute the command.

Check your ports people.

vCenter, VMware

Update Export Failed – Converting Windows SSO to PSC Appliance

This isn’t a be all and end all post on converting your Windows-based SSO server to the Platform Services Controller appliance, although I found an issue when performing the migration.

We kept receiving an “Update export failed” message when the appliance was deployed by the conversion wizard. We couldn’t understand why, and the appliance updaterunner.log file gave us no clues as to what it could be.

Turns out, you must run the vcsa_setup.html wizard with the same domain user/admin account that you started the Migration-Assistance.exe process with.

vCloud Director, VMware

vCloud Director and SAML Federation

I had a few issues getting vCloud Director and SAML federation playing nicely. By issues, I mean there wasn’t an explicit how-to in VMware’s pubs. The big issues were group-based authentication and authenticating against a user’s email address instead of their UPN.

Using the following article from pablovirtualization I was able to get vCloud Director federated to an ADFS SAML endpoint.

https://pablovirtualization.wordpress.com/2015/01/13/vcloud-director-and-microsoft-ad-fs-active-director-federation-service-authentication/

This allowed users to login using their UPN. That’s all well and good until you need user’s to log into their account using their email address which may differ from their UPN.

Login via email address

First, if you haven’t already due to some other requirement, allow your ADFS deployment to use the ‘mail’ attribute as an alternate login ID:

Set-ADFSClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -alternateloginID mail -lookupforest {your forest fqdn here} e.g contoso.corp

Now, brief difference between Pablo’s steps and this. When configuring the NameID transformation rule you’ll need to specify “Email” instead of “Unspecified”

adfs_transform

Group-based authentication

While you’re still adding transform rules, make sure you add this one too:

adfs_transform

Now all you have to do is enter the group name when importing groups in vCloud Director. Any users that are a member of that group will be able to login and receive the role specified when importing the group.