WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Quick Tip - Using ovftool to connect to vCloud Director behind a 2-Factor Authentication portal

Quick Tip - Using ovftool to connect to vCloud Director behind a 2-Factor Authentication portal

06.08.2015 by William Lam // 2 Comments

A couple of months back I ran into an issue while trying to upload a couple of files to VMware's internal OneCloud environment which uses vCloud Director. The issue that I encountered was that our OneCloud environment no longer supported basic username/password authentication, which I hoping to automate using ovftool. Instead, it is now front-ended with VMware Application Manager which requires 2-Factor Authentication (2FA) and once authenticated, a SAML token is then passed to vCloud Director which then automatically logs you in.

ovftool-vcloud-director-SAML-authentication-0
The problem with this is that ovftool can not be used to directly login to vCloud Director as it does not have support for 2FA, which makes automating operations against our OneCloud environment pretty difficult. After spending a few days looking for an alternative and not having any luck, my last hope was to reach out to the ovftool developers to see if they had seen this before.

After a few email exchanges, although ovftool does not support 2FA, you can however get this to work using session ticket authetnication which it does support using either the --I:sourceSessionTicket or --l:targetSessionTicket option. To get more details on these options, you can run the following ovftool command:

ovftool --help integration

In order to use this session ticket mechanism to authenticate into a 2FA environment, you must first login manually using a web browser. Once you have successfully logged in, you will need to either use browser developer tool or something like Firebug to record the authenticated vCloud Director cookie which will then be passed to ovftool.

In this example, I am using Chrome and you can find the Developer Tools by going to Options->More Tools->Developer Tools. Next, refresh the webpage so you are able to see the web requests between your browser and vCloud Director. Now navigate to Network->Cookies option and select any one of the requests to the left of the screen such as "amf".

ovftool-vcloud-director-SAML-authentication1
What you will be looking for is the value to the cookie named "vcloud_session_id" which is is the authenticated session that we will use to provide to ovftool. Once you have that value, you can then specify the connection to ovftool using the following:

ovftool --I:targetSessionTicket=[VCLOUD_SESSION_ID_VALUE] vcloud://...

I had known that ovftool supported session based tickets, however I did not realize it could be used to authenticate behind a 2FA solution like VMware Application Manager. For folks interested in using ovftool and session based tickets directly with vSphere, check out this awesome post by my good friend Jake Robinson who demonstrates this using PowerCLI, ovftool and the AcquireCloneTicket() vSphere API method.

More from my site

  • How to deploy vSphere 6.0 (VCSA & ESXi) on vCloud Director and vCloud Air?
  • Unattended Deployment of vCloud Director Virtual Appliance
  • Creating your own 3rd Party Content Library for vSphere 6.0 & vCloud Director 5.x
  • CoreOS is now available as OVA in Alpha channel
  • Configuring a "Whitelist" for VM advanced settings in vCloud Director

Categories // Automation, OVFTool Tags // ovftool, SAML, vcd, vcloud director, vSphere API

Comments

  1. *protectedMatt Short says

    02/15/2017 at 1:40 pm

    Is there anyway to inject the SessionTicket information when you use the integrated CIP ovftool? Same issue when trying to upload an image into a catalogue in vCloud Director when behind an F5 that uses the APM module for 2FA. Because it doesn't pass any information, the ovftool is redirected to the logon page (so the tool just fails).

    Reply
  2. *protectedPaco Gomez says

    08/31/2017 at 1:07 pm

    William, Matt, `vcd-cli` now supports login with session id, using the browser session and uploading/downloading templates.

    `vcd login host.oc.vmware.com us01-5-devops-vcd-d usr1 --use-browser-session`

    or

    `vcd login host.oc.vmware.com us01-5-devops-vcd-d usr1 --session-id f02a273d48094bd4a5e09d7694ae30a4`

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...