Thursday, February 28, 2013

Setting up HP Virtual Connect Manager 3.70 for RADIUS authentication with Microsoft NPS

One of the issues I’ve been tackling with over the past week was trying to get HP Virtual Connect Manager version 3.70 to authenticate with a Microsoft NPS (Network Policy Server) server as a RADIUS client.  I was able to get as far as setting up the client and the policy so that I could log into the HP Virtual Connect Manager with Active Directory credentials but couldn’t quite figure out how to assign Administrator permissions for the Active Directory group I was logging in as.  The setup I had is shown in the following screenshots:

image

The following are the settings for the RADIUS client representing the HP Virtual Connect Manager:

clip_image001

clip_image001[4]

A policy was created:

image

clip_image001[6]

I used Windows Groups and Client Friendly Name for the conditions of the policy:

image

Unencrypted authentication (PAP, SPAP) was used:

clip_image001[8]

The following are the standard attributes:

Framed-protocol – PPP

Service-Type – NAS Prompt

clip_image001[10]

What I was missing was the Vendor Specific attribute for the virtual connect:

clip_image001[12]

Without setting a Vendor Specific to grant the users belonging to the Active Directory group logging in, the user would only have read only access:

clip_image001[14]

Notice how all of the options are grayed out:

image

Searching through the internet didn’t provide too much information so I opened up a ticket with HP and not long after got escalated to a senior engineer where he pointed to me at the user guide on page 75:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03478464/c03478464.pdf

clip_image001[16]

that mentions the vendor-specific attribute named:

HP-VC-Groups

… with the description:

This is the group name value configured as the vendor-specific attribute HP-VC-Groups on the RADIUS server. The name can consist of 1 to 255 standard text-string characters (alphanumeric characters, hyphen (-), underscore (_), period (.)) except backslash (\) and single quote ('). You cannot change the name on edit.

I must have overlooked this while reading the guide earlier in the week so I took the HP-VC-Groups string and Google-ed it leading me to the following webpage:

http://friendsnow.hatenablog.com/entry/2012/04/14/153532

… which appeared to be a Japanese forum but what caught my eye was the following:

# cat /etc/raddb/users

最終行に追記

DEFAULT Auth-Type = ntlm_auth

Service-Type = NAS-Prompt-User,

HP-VC-Groups = "vcadmingroup",

… and:

# cat /usr/share/freeradius/dictionary.vc

VENDOR HP 11

BEGIN-VENDOR HP

ATTRIBUTE HP-VC-Groups 192 string

END-VENDOR HP

image

With that information, I created a group in HP Virtual Connect Manager:

clip_image001[18]

clip_image001[20]

Named the group HPVCMAdmins and checked off the following privilege levels:

  • Domain
  • Network
  • Server
  • Storage

clip_image001[22]

clip_image001[24]

I then went into the policy’s Vendor Specific section and played around with the vendor specific custom attribute:

clip_image001[26]

Vendor: Custom

Attributes Name: Vendor-Specific

Vendor: RADIUS Standard

clip_image001[28]

clip_image001[30]

Enter Vendor Code: 11

Yes. It conforms

clip_image001[32]

Vendor-assigned attribute number: 192

Attribute format: String

Attribute value: HPVCMAdmins

clip_image001[34]

clip_image001[36]

I went back to the HP Virtual Connect Manager and logged in with my Active Directory account:

image

… then confirmed that I was now able to edit settings:

image

Notice how the controls and fields are no longer grayed out:

image

One of the things that I notice was that if I was logged in with a RADIUS authenticated account, I am not able to edit any RADIUS settings:

A RADIUS-authenticated user is not permitted to change the RADIUS configuration.

clip_image001[38]

This is most likely by design.

Manually deleting orphaned and/or stale virtual desktops in VMware View Manager pools

Administrators of VMware View 4.x and 5.x would know that View Manager would from time to time fail to complete operations with virtual desktops in pools and eventually leave orphaned or stale virtual desktops in pools that we cannot delete from the GUI.  The following shows 2 stale desktops that View Manager would not allow us to delete:

image

Failed to delete VM – null

image

Although it’s possible for us to manually delete the virtual desktop from vCenter, this would not be enough to cleanly remove it from the VMware View Manager and its database:

image

Fortunately, VMware does provide the following KB to walk us through deleting the orphaned VDIs:

Manually deleting linked clones or stale virtual desktop entries from VMware View Manager 3.x and 4.0.x
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008658

As I have had clean out quite a few virtual desktops this week, I found that while using the GUI for the SQL database modifications has its advantages (i.e. deleting multiple entries), it’s not very practical if you have thousands of desktops in the database because the GUI only allows you return 200 roles for editing.  I’m not much of an expert with SQL but have done some work in the past (and in University) so I took this opportunity to shake off some of the dust and use simple queries to remove the entries from the database.  As I have documented the process from start to finish, I figure I’d write this post so I can reference to it in the future.

Step #1 – Clean View ADAM Database

Begin by logging onto a View Connection Server and use the following KB to connect to the ADAM database:

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2012377

image

image

Name: View ADAM Database

Select or type a Distinguished Name or Naming Context: dc=vdi,dc=vmware,dc=int

Select or type a domain or server: localhost

image

image

image

Right click on View ADAM Database –> New –> Query…:

image

Enter a name for the query (I just use the VDI’s name) and modify the following query string:

(&(objectClass=pae-VM)(pae-displayname=VirtualMachineName))

… and change the VirtualMachineName to the orphaned VDI.  Click on the Browse button and select Servers:

imageimage

Your New Query window should look similar to the following:

image

Clicking OK in the new query will show a new query ADSI Edit listed in the tree:

image

Clicking on the query will show the result:

image

We’re interested in the CN value so double click on the object to open the properties.  Double check that the pae-DisplayName correctly reflects the VDI name:

image

Copy the CN to notepad so you can reference it:

image

image

Navigate to the Servers OU, locate the entry with the same CN:

image

Open the object to double check that the pae-DisplayName is the name of the VDI you would like to delete:

image

Proceed to right click on the object and delete it:

image

image

image

Note that the desktops are now gone when you refresh the pool in the View Manager:

image

Step #2 – Delete entry in the dbo.SVI_VM_NAME table

Open SQL Server Management Studio and navigate to your View Composer database and locate the dbo.SVI_VM_NAME table:

image

What we would usally do as per the KB is to use the Edit Top 200 Rows to delete the entries:

image

image

If your View environment has more than 200 VDIs then this feature in the GUI may not work so instead of using the GUI, the following SQL query can be executed:

DELETE FROM dbo.SVI_VM_NAME

WHERE NAME='VIEW-122'

image

Modify the virtual desktop name as required.

Step #3 – Delete entry in the dbo.SVI_COMPUTER_NAME table

The next step is to delete the entry in the dbo.SVI_COMPUTER_NAME table:

image

Instead if using the GUI, you can use the following:

DELETE FROM dbo.SVI_COMPUTER_NAME

WHERE NAME='VIEW-122'

image

Step #4 (Optional) – Retrieve ID from the dbo.SVI_SIM_CLONE table to delete entry in dbo.SVI_SC_PDISK_INFO

Since the record in the dbo.SVI_SIM_CLONE has other other tables referencing it, we will need to obtain the ID of the record for the stale VDI and use it to delete records from the dbo.SVI_SC_PDISK_INFO table. One of the ways to obtain the ID is to use the following query:

SELECT *

FROM db.SVI_SIM_CLONE

WHERE VM_NAME=’VIEW-122

image 

You can then manually copy this ID and paste it into other queries to delete the rows but this is prone to errors.  The better way is to nest this query to minimize the chances of accidental typo errors.

Step #5 – Delete entry in dbo.SVI_SC_PDISK_INFO

The PARENT_ID value in the dbo.SVI_SC_PDISK_INFO:

image

… is actually the ID value in the dbo.SVI_CLONE_VM so to delete the entry in dbo.SVI_SC_PDISK_INFO we can simply nest the query to retrieve the ID  in the dbo.SVI_CLONE_VM:

DELETE FROM dbo.SVI_SC_PDISK_INFO

WHERE PARENT_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='VIEW-122')

image

Step #6 – Delete entry in dbo.SVI_SC_BASE_DISK_KEYS

The dbo.SVI_SC_BASE_DISK_KEYS table:

image

… is the same as the dbo.SVI_SC_PDISK_INFO table where the ID value in the dbo.SVI_CLONE_VM is used to delete the orphaned record so proceed to use the following query to remove the entry:

DELETE FROM dbo.SVI_SC_BASE_DISK_KEYS

WHERE PARENT_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='VIEW-122')

image

Step #7 – Delete entry in dbo.SVI_TASK_STATE

In order to clean out the stale entries in the table dbo.SVI_TASK_STATE, we will need to reference the ID in the dbo.SVI_SIM_CLONE table so proceed with using the following nested query:

DELETE FROM dbo.SVI_TASK_STATE

WHERE SIM_CLONE_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='VIEW-122')

image

Step #7 – Delete entry in dbo.SVI_REQUEST

dbo.SVI_REQUEST table is the same as the dbo.SVI_TASK_STATE table where we’ll need to use the ID in the dbo.SVI_SIM_CLONE table to remove the entry so proceed with using the following nested query:

DELETE FROM dbo.SVI_REQUEST

WHERE ID=

(SELECT REQUEST_ID

FROM dbo.SVI_TASK_STATE

WHERE SIM_CLONE_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='VIEW-122'))

image

With the entries in the tables referencing the dbo.SVI_SIM_CLONE deleted, we can proceed with removing the entry in the dbo.SVI_SIM_CLONE table with the following query:

DELETE FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='VIEW-122'

image

Step #8 – Delete Active Directory Account

Proceed with deleting the computer account in Active Directory:

image

image

Step #9 – Delete VM from vCenter

Complete the removal by deleting the VM from vCenter:

image

-------------------------------------------------------------------------Update--------------------------------------------------------------------------------

I received a few requests to combine all of the SQL states together so I’ve taken all of the statements I outlined above and put them together.  All we need to do with the following is perform a search and replace to replace the replaceMe string with the virtual desktop’s name:

DELETE FROM dbo.SVI_VM_NAME

WHERE NAME='replaceMe'

DELETE FROM dbo.SVI_COMPUTER_NAME

WHERE NAME='replaceMe'

DELETE FROM dbo.SVI_SC_PDISK_INFO

WHERE PARENT_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='replaceMe')

DELETE FROM dbo.SVI_SC_BASE_DISK_KEYS

WHERE PARENT_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='replaceMe')

DELETE FROM dbo.SVI_TASK_STATE

WHERE SIM_CLONE_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='replaceMe')

DELETE FROM dbo.SVI_REQUEST

WHERE ID=

(SELECT REQUEST_ID

FROM dbo.SVI_TASK_STATE

WHERE SIM_CLONE_ID=

(SELECT ID

FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='replaceMe'))

DELETE FROM dbo.SVI_SIM_CLONE

WHERE VM_NAME='replaceMe'