WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Quick Tip - Using ovftool to connect to vCloud Director behind a 2-Factor Authentication portal

Quick Tip - Using ovftool to connect to vCloud Director behind a 2-Factor Authentication portal

06.08.2015 by William Lam // 2 Comments

A couple of months back I ran into an issue while trying to upload a couple of files to VMware's internal OneCloud environment which uses vCloud Director. The issue that I encountered was that our OneCloud environment no longer supported basic username/password authentication, which I hoping to automate using ovftool. Instead, it is now front-ended with VMware Application Manager which requires 2-Factor Authentication (2FA) and once authenticated, a SAML token is then passed to vCloud Director which then automatically logs you in.

ovftool-vcloud-director-SAML-authentication-0
The problem with this is that ovftool can not be used to directly login to vCloud Director as it does not have support for 2FA, which makes automating operations against our OneCloud environment pretty difficult. After spending a few days looking for an alternative and not having any luck, my last hope was to reach out to the ovftool developers to see if they had seen this before.

After a few email exchanges, although ovftool does not support 2FA, you can however get this to work using session ticket authetnication which it does support using either the --I:sourceSessionTicket or --l:targetSessionTicket option. To get more details on these options, you can run the following ovftool command:

ovftool --help integration

In order to use this session ticket mechanism to authenticate into a 2FA environment, you must first login manually using a web browser. Once you have successfully logged in, you will need to either use browser developer tool or something like Firebug to record the authenticated vCloud Director cookie which will then be passed to ovftool.

In this example, I am using Chrome and you can find the Developer Tools by going to Options->More Tools->Developer Tools. Next, refresh the webpage so you are able to see the web requests between your browser and vCloud Director. Now navigate to Network->Cookies option and select any one of the requests to the left of the screen such as "amf".

ovftool-vcloud-director-SAML-authentication1
What you will be looking for is the value to the cookie named "vcloud_session_id" which is is the authenticated session that we will use to provide to ovftool. Once you have that value, you can then specify the connection to ovftool using the following:

ovftool --I:targetSessionTicket=[VCLOUD_SESSION_ID_VALUE] vcloud://...

I had known that ovftool supported session based tickets, however I did not realize it could be used to authenticate behind a 2FA solution like VMware Application Manager. For folks interested in using ovftool and session based tickets directly with vSphere, check out this awesome post by my good friend Jake Robinson who demonstrates this using PowerCLI, ovftool and the AcquireCloneTicket() vSphere API method.

More from my site

  • How to deploy vSphere 6.0 (VCSA & ESXi) on vCloud Director and vCloud Air?
  • Unattended Deployment of vCloud Director Virtual Appliance
  • Creating your own 3rd Party Content Library for vSphere 6.0 & vCloud Director 5.x
  • CoreOS is now available as OVA in Alpha channel
  • Configuring a "Whitelist" for VM advanced settings in vCloud Director

Categories // Automation, OVFTool Tags // ovftool, SAML, vcd, vcloud director, vSphere API

Comments

  1. Matt Short says

    02/15/2017 at 1:40 pm

    Is there anyway to inject the SessionTicket information when you use the integrated CIP ovftool? Same issue when trying to upload an image into a catalogue in vCloud Director when behind an F5 that uses the APM module for 2FA. Because it doesn't pass any information, the ovftool is redirected to the logon page (so the tool just fails).

    Reply
  2. Paco Gomez says

    08/31/2017 at 1:07 pm

    William, Matt, `vcd-cli` now supports login with session id, using the browser session and uploading/downloading templates.

    `vcd login host.oc.vmware.com us01-5-devops-vcd-d usr1 --use-browser-session`

    or

    `vcd login host.oc.vmware.com us01-5-devops-vcd-d usr1 --session-id f02a273d48094bd4a5e09d7694ae30a4`

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC) across Private, Hybrid and Public Cloud

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • ESXi on ASUS PN64-E1 05/24/2023
  • vSphere Pods using VDS based Supervisor in vSphere with Tanzu? 05/23/2023
  • Frigate NVR with Coral TPU & iGPU passthrough using ESXi on Intel NUC 05/22/2023
  • 96GB SODIMM memory for DDR5 system with ESXi 05/18/2023
  • Refresher on Nested ESXi Networking Requirements 05/17/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...