Connect-SrmServer fails when -RemoteCredential is used

vCenter version 6.0.0, build 3634794.

srm version: 6.1.0

I have a protected site, and a recovery site.  Running `connect-viserver -alllinked:$true -server protected.domain.com` works just fine, and I can see all the linked servers in $global:DefaultVIServers

PS > $global:DefaultVIServers

Name                           Port  User

----                           ----  ----

recovery.domain.com  443   DOMAIN\timkennedy

protected.domain.com 443   DOMAIN\timkennedy

When I go to connect to the SRM server(s), I can log into each one individually, but I can't authenticate a single session to both servers using the -RemoteCredential option or the -RemoteUser & -RemotePassword options.

First, building a credential known to work at both sides (AD SSO):

PS > $credential = Get-Credential -Message 'Enter Password:' -UserName 'DOMAIN\timkennedy'

Using -RemoteCredential or passing -RemoteUser with -RemotePassword:

PS > Connect-SrmServer -IgnoreCertificateErrors -Server protected.domain.com -RemoteCredential $credential -Credential $credential

Connect-SrmServer : 8/29/2017 12:51:33 PM       Connect-SrmServer               Cannot complete login due to an incorrect user name or password.

At line:1 char:1

+ Connect-SrmServer -IgnoreCertificateErrors -Server protected.domain. ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-SrmServer], VimException

    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.Srm.Commands.Commands.ConnectSrmServer

And:

PS > Connect-SrmServer -IgnoreCertificateErrors -Server protected.domain.com -RemoteUser 'DOMAIN\timkennedy' -RemotePassword 'supersecretpassword' -User 'DOMAIN\timkennedy' -Password 'supersecretpassword'

Connect-SrmServer : 8/29/2017 12:51:33 PM       Connect-SrmServer               Cannot complete login due to an incorrect user name or password.

At line:1 char:1

+ Connect-SrmServer -IgnoreCertificateErrors -Server protected.domain. ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Connect-SrmServer], VimException

    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.Srm.Commands.Commands.ConnectSrmServer

And even calling the api directly after logging into a SRM server directly:

PS> $global:DefaultSrmServers[1].ExtensionData.SrmLoginSites('DOMAIN\timkennedy','supersecretpassword','DOMAIN\timkennedy','supersecretpassword')

Exception calling "SrmLoginSites" with "4" argument(s): "Cannot complete login due to an incorrect user name or

password."

At line:1 char:1

+ $global:DefaultSrmServers[1].ExtensionData.SrmLoginSites('DOMAIN\timk ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

The same behavior is seen, even if I change the target server to be recovery.domain.com.

Without specifying any -Remote options, I can log into both SRM servers successfully using either username and password, or credential, however this prevents being able to do things like configure protection on an array based protection group, because the single session isn't authenticated to both SRM servers.

PS > Connect-SrmServer -Credential $cred -Server protected.domain.com

ServiceUri    : https://192.168.1.101:9086/vcdr/extapi/sdk

SessionSecret : "10334eb7e60c9bb1cb23c4fdce6a8c1c525423af"

User          : DOMAIN\timkennedy

IsConnected   : True

Port          : 9086

Version       : 6.1.0

Build         : 3037005

ProductLine   : srm

InstanceUuid  : 459474ca-50ad-41de-8d3f-a21cdbb0027c

RefCount      : 1

ExtensionData : VMware.VimAutomation.Srm.Views.SrmServiceInstance

Uid           : /SrmServer=domain\timkennedy@192.168.1.101:9086/

Id            : /SrmServer=domain\timkennedy@192.168.1.101:9086/

Name          : 192.168.1.101

IsInUse       : True

PS > Connect-SrmServer -Server recovery.domain.com -Username 'DOMAIN\timkennedy' -Password 'supersecretpassword'

ServiceUri    : https://172.16.1.101:9086/vcdr/extapi/sdk

SessionSecret : "e58247793dcda1e31182388d1856dd2be40457e7"

User          : DOMAIN\timkennedy

IsConnected   : True

Port          : 9086

Version       : 6.1.0

Build         : 3037005

ProductLine   : srm

InstanceUuid  : cf5269b3-237b-4d6a-b6a7-f5632e015c90

RefCount      : 1

ExtensionData : VMware.VimAutomation.Srm.Views.SrmServiceInstance

Uid           : /SrmServer=domain\timkennedy@172.16.1.101:9086/

Id            : /SrmServer=domain\timkennedy@172.16.1.101:9086/

Name          : 172.16.1.101

IsInUse       : True

I this scenario, if I configure a new protection group, via the api at $global:DefaultSrmServers[1].ExtensionData.Protection something like:

$pgroup = $srmapi.Protection.ListProtectionGroups()[-1]

$pspec = New-Object VMware.VimAutomation.Srm.Views.SrmProtectionGroupVmProtectionSpec

$pspec.Vm = (Get-Vm test-vm).ExtensionData.MoRef
$ptask = $pgroup.ProtectVms($pspec)

Here is the error:

PS > $ptask.GetResult().Error

Fault                  LocalizedMessage

-----                  ----------------

VMware.Vim.MethodFault Not authenticated into SRM server 'Recovery'.

I should note, that logging in to the same vcenter server as the same user, and using the GUI to configure protection on the protection group does work.  So I'm not sure what I'm missing.