From 780d5959650ca72b447cfb64562b6e2f821e3673 Mon Sep 17 00:00:00 2001 From: Adam Rudell Date: Tue, 16 Sep 2025 17:07:49 -0500 Subject: [PATCH 1/3] update tests to check for hostid --- src/modules/SdnDiag.Health.psm1 | 35 +++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/src/modules/SdnDiag.Health.psm1 b/src/modules/SdnDiag.Health.psm1 index 263ff200..7b45ea28 100644 --- a/src/modules/SdnDiag.Health.psm1 +++ b/src/modules/SdnDiag.Health.psm1 @@ -504,6 +504,7 @@ function Debug-SdnFabricInfrastructure { $report.HealthTest += @( Test-SdnResourceProvisioningState @ncRestParamsResource Test-SdnResourceConfigurationState @ncRestParamsResource + Test-ServerHostId -ComputerName $mgmtFqdnIpAddress -Credential $Credential -InstanceId $server.InstanceId ) } } @@ -1057,26 +1058,40 @@ function Test-ServerHostId { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] - [string[]]$InstanceId - ) + [string]$ComputerName, - Confirm-IsServer + [Parameter(Mandatory = $false)] + [System.Management.Automation.PSCredential] + [System.Management.Automation.Credential()] + $Credential = [System.Management.Automation.PSCredential]::Empty, + + [Parameter(Mandatory = $true)] + [string]$InstanceId + ) $sdnHealthTest = New-SdnHealthTest $regkeyPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters' + $scriptBlock = { + param ($path) + $regHostId = Get-ItemProperty -Path $path -Name 'HostId' -ErrorAction Ignore + return $regHostId + } + try { - $regHostId = Get-ItemProperty -Path $regkeyPath -Name 'HostId' -ErrorAction Ignore - if ($null -ieq $regHostId) { + $remoteHostID = Invoke-SdnCommand -ComputerName $ComputerName -Credential $Credential -ScriptBlock $scriptBlock -ArgumentList $regkeyPath + if ($null -ieq $remoteHostID) { $sdnHealthTest.Result = 'FAIL' } else { - if ($regHostId.HostId -inotin $InstanceId) { + if ($remoteHostID.HostId -ine $InstanceId) { $sdnHealthTest.Result = 'FAIL' - $sdnHealthTest.Remediation += "Update the HostId registry under $regkeyPath to match the correct InstanceId from the NC Servers API." - $sdnHealthTest.Properties = [PSCustomObject]@{ - HostID = $regHostId - } + $sdnHealthTest.Remediation += "Update the HostId registry under $regkeyPath to match the InstanceId of the Server Resource" + } + + $sdnHealthTest.Properties = [PSCustomObject]@{ + CurrentHostID = $remoteHostID + ExpectedHostID = $InstanceId } } } From fc80f116bc8f2e4618820f1d1b18f7d8aac4ba25 Mon Sep 17 00:00:00 2001 From: Adam Rudell Date: Tue, 16 Sep 2025 17:14:07 -0500 Subject: [PATCH 2/3] ensure creds when in remote runspace --- src/SdnDiagnostics.psm1 | 11 +++++++++++ src/modules/SdnDiag.Health.psm1 | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/SdnDiagnostics.psm1 b/src/SdnDiagnostics.psm1 index ddca0f0d..758e3cec 100644 --- a/src/SdnDiagnostics.psm1 +++ b/src/SdnDiagnostics.psm1 @@ -752,6 +752,17 @@ function Start-SdnDataCollection { [bool]$ConvertETW = $true ) + # if we are running in a remote session, we need to do some extra validation + if ($PSSenderInfo) { + # if we are running in a remote session and CredSSP is not enabled, then we need to ensure that + # the user has supplied -Credential to avoid double-hop authentication issues + if (-not (Get-WSManCredSSPState)) { + if ($Credential -ieq [System.Management.Automation.PSCredential]::Empty -or $null -ieq $Credential) { + throw New-Object System.NotSupportedException("Start-SdnDataCollection cannot be run in a remote session without supplying -Credential.") + } + } + } + $ErrorActionPreference = 'Continue' $dataCollectionNodes = [System.Collections.ArrayList]::new() # need an arrayList so we can remove objects from this list diff --git a/src/modules/SdnDiag.Health.psm1 b/src/modules/SdnDiag.Health.psm1 index 7b45ea28..1e02ca4d 100644 --- a/src/modules/SdnDiag.Health.psm1 +++ b/src/modules/SdnDiag.Health.psm1 @@ -369,12 +369,22 @@ function Debug-SdnFabricInfrastructure { [X509Certificate]$NcRestCertificate ) - $script:SdnDiagnostics_Health.Cache = $null - $aggregateHealthReport = @() + # if we are running in a remote session, we need to do some extra validation + if ($PSSenderInfo) { + # if we are running in a remote session and CredSSP is not enabled, then we need to ensure that + # the user has supplied -Credential to avoid double-hop authentication issues + if (-not (Get-WSManCredSSPState)) { + if ($Credential -ieq [System.Management.Automation.PSCredential]::Empty -or $null -ieq $Credential) { + throw New-Object System.NotSupportedException("Debug-SdnFabricInfrastructure cannot be run in a remote session without supplying -Credential.") + } + } + } if (Test-ComputerNameIsLocal -ComputerName $NetworkController) { Confirm-IsNetworkController } + $script:SdnDiagnostics_Health.Cache = $null + $aggregateHealthReport = @() if ($PSBoundParameters.ContainsKey('NcRestCertificate')) { $restCredParam = @{ NcRestCertificate = $NcRestCertificate } } From ed230777f57ee2eecf72cc8b5abcc78cffb6acb3 Mon Sep 17 00:00:00 2001 From: Adam Rudell Date: Wed, 17 Sep 2025 15:46:01 -0500 Subject: [PATCH 3/3] only include the hostid --- src/modules/SdnDiag.Health.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/SdnDiag.Health.psm1 b/src/modules/SdnDiag.Health.psm1 index 1e02ca4d..4e7665e8 100644 --- a/src/modules/SdnDiag.Health.psm1 +++ b/src/modules/SdnDiag.Health.psm1 @@ -1100,7 +1100,7 @@ function Test-ServerHostId { } $sdnHealthTest.Properties = [PSCustomObject]@{ - CurrentHostID = $remoteHostID + CurrentHostID = $remoteHostID.HostID ExpectedHostID = $InstanceId } }