vCenter, VMware

vSphere 6 certificate templates with SHA256 encryption

This post has been moved to

I was just in the middle of configuring a PSC 6.0 node’s VMCA as an intermediate CA and, in traditional fashion, went to request a certificate from a 2008 R2 Microsoft CA using the web enrollment form (as per this VMware KB article).

Oddly enough though my brand spanking new vSphere 6.0 machine and intermediate CA certificate templates were missing from the template selection drop down.

I had a look around online and found that MS CA v3 certificate templates are not supported in the web enrollment form. Why is this relevant? Well, this VMware KB states that if you use SHA256 encryption in your environment you must select Windows Server 2008 Enterprise as your certificate template version. That instantly sets your certificate templates to v3.

Damn. How was I going to submit my CSR to this Microsoft CA and get back my certificates?! The Certificate Management snap-in doesn’t allow CSR files to be submitted. It’s just not an option.

Luckily we have the trusty certreq tool. I was easily able to submit my CSR file to the Microsoft CA and get a certificate back in a simple command:

Certreq -submit -attrib "certificateTemplate:vSphere6.0VMCA" vmca_issued_csr.csr

Make sure you specify the correct certificate template. In my example above, I was after the VMCA intermediate CA template. The file specified was in my cmd working directory and is the same file the PSC’s spit out when you’re using the certificate manager tool.

PowerCLI, vCenter, VMware

Copy-VMGuestFile returns 403 Forbidden error

Got this error just today and couldn’t figure out why. I was trying to copy from my management server to a test VM with no network connectivity, and was receiving the following error:

Copy-VMGuestFile : 5/01/2017 11:47:40 AM Copy-VMGuestFile The remote server returned an error: (403) Forbidden. 
At line:1 char:1
+ Copy-VMGuestFile -Source "REDACTED" -Destination " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [Copy-VMGuestFile], ViError
 + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_UploadFileToGuest_UploadError,VMware.VimAutomation.ViCore.Cmdlets.Commands.CopyVMGuestFile

My privileges and network connectivity to vCenter and the ESXi hosts was looking good. Until I tripled checked my network port access to the ESXi host.

I was missing port 903 from the management server to the ESXi host the VM was sitting on. Opening that up allowed me to execute the command.

Check your ports people.

vCenter, VMware

Update Export Failed – Converting Windows SSO to PSC Appliance

This post has been moved to

This isn’t a be all and end all post on converting your Windows-based SSO server to the Platform Services Controller appliance, although I found an issue when performing the migration.

We kept receiving an “Update export failed” message when the appliance was deployed by the conversion wizard. We couldn’t understand why, and the appliance updaterunner.log file gave us no clues as to what it could be.

Turns out, you must run the vcsa_setup.html wizard with the same domain user/admin account that you started the Migration-Assistance.exe process with.

vCloud Director, VMware

vCloud Director and SAML Federation

This post has been moved to

I had a few issues getting vCloud Director and SAML federation playing nicely. By issues, I mean there wasn’t an explicit how-to in VMware’s pubs. The big issues were group-based authentication and authenticating against a user’s email address instead of their UPN.

Using the following article from pablovirtualization I was able to get vCloud Director federated to an ADFS SAML endpoint.

This allowed users to login using their UPN. That’s all well and good until you need user’s to log into their account using their email address which may differ from their UPN.

Login via email address

First, if you haven’t already due to some other requirement, allow your ADFS deployment to use the ‘mail’ attribute as an alternate login ID:

Set-ADFSClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -alternateloginID mail -lookupforest {your forest fqdn here} e.g contoso.corp

Now, brief difference between Pablo’s steps and this. When configuring the NameID transformation rule you’ll need to specify “Email” instead of “Unspecified”


Group-based authentication

While you’re still adding transform rules, make sure you add this one too:


Now all you have to do is enter the group name when importing groups in vCloud Director. Any users that are a member of that group will be able to login and receive the role specified when importing the group.