Auth issue in script using Azure Powershell

Hi,

I've got a powershell script that I'm currently invoking using the
script module - assuming I can get this working I'll probably turn it
into a module, but I need to get over some issues first.

The purpose of the script is to configure Azure Online Backup on an on
premise Windows Server. The script is working fine when run from an
interactive powershell prompt.

The script is getting passed some credentials, a resource group and a
backup vault name.

It invokes Add-AzureRmAccount (which suceeds) and then
Get-AzureRMBackupVault which also succeeds (and returns the backup vault
info). So clearly auth to Azure is working correctly.

The next step is running Get-AzureRMBackupVaultCredentials which
downloads a credential file to the local filesystem to be passed to
Start-OBRegistration. That step works fine when the script is run
interactively, but when the script is run by Ansible it fails with "The
specified network password is not correct".

I'm guessing that for some reason Get-AzureRMBackupVaultCredentials
authenticates to Azure in a different way than the other Azure
Powershell scripts and that is in some way incompatible with (or
disallowed from) Powershell Remote Sessions.

A slight punt of doing 'Enable-WSManCredSSP -Role "Client"
-DelegateComputer "*"' but that didn't help..

Has anyone had any similar experiences with using the Azure Powershell
cmdlets in a script run by Ansible?

I realise this is probably verging on more of a powershell vs Ansible
question..

There may be a way to do the equivalent of
Get-AzureRMBackupVaultCredentials via the Azure API - I'll have a look
at that if I can't resolve this issue.

Script is below if anyone wants to try it, it assumes an existing
Resource Group, Vault and the Azure Recovery Services client installed.

thanks,

Barney.

Hard to say without taking apart the Azure cmdlets, but I’d suspect they’re internally trying to use a Windows credential cache, which has always been a no-go for me under a WinRM session (though IIRC it fails loudly when you try).

Some of the stuff that will likely land in Ansible 2.3 may help (become support, various other tricks for escaping WinRM’s restrictions), but not sure what to tell you meantime. Maybe ask the Azure folks why their cmdlets don’t work under WinRM…

Matt,

Thanks for the response. I've actually done some more work on this and
got a workaround.

Hard to say without taking apart the Azure cmdlets, but I'd suspect they're internally trying to use a Windows credential cache, which has always been a no-go for me under a WinRM session (though IIRC it fails loudly when you try).

Looking at the source for Get-AzureRMBackupVaultCredential
(https://github.com/Azure/azure-powershell/blob/dev/src/ResourceManager/AzureBackup/Commands.AzureBackup/Cmdlets/VaultCredentials/GetAzureRMBackupVaultCredentials.cs)
I came to the conclusion that it was probably an issue with hitting one
of the X509 api calls.

Some of the stuff that will likely land in Ansible 2.3 may help (become support, various other tricks for escaping WinRM's restrictions), but not sure what to tell you meantime.

I ended up modifying the script to run the cmdlets in a scheduled job
(roughly based on the code in this issue
https://github.com/ansible/ansible-modules-extras/issues/287). Is
support for "various other tricks" likely to include help for running
awkward tasks as scheduled?

Maybe ask the Azure folks why their cmdlets don't work under WinRM...

Yeah, I 'll try opening an issue.

Thanks again for your help.

Regards,

Barney.