-
1. Re: Deploy a proxy agent and worker in a different domain
GrantOrchardVMware May 6, 2016 9:48 AM (in response to TheLittleOne)This will work. It uses certificates to validate communications, not username/password.
Grant
-
2. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 9, 2016 1:44 AM (in response to GrantOrchardVMware)Hi GranOrchardVMware
if I try to connect the Model Manager Web Service Host, I get the error the remote server returned an error: (401) Unauthorized. Did I forget to import any certificates to the worker/agent server?
-
Error.jpg 61.6 K
-
-
3. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 11, 2016 1:59 AM (in response to TheLittleOne)No idea?
-
4. Re: Deploy a proxy agent and worker in a different domain
GrantOrchardVMware May 11, 2016 4:32 PM (in response to TheLittleOne)Sorry, was at a work conference so haven't been online.
Is this a 6 or 7 deployment?
Grant
-
5. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 16, 2016 11:13 AM (in response to GrantOrchardVMware)No problem,
it is a vra7 deployment.
-
6. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 24, 2016 3:02 AM (in response to TheLittleOne)No idea?
-
7. Re: Deploy a proxy agent and worker in a different domain
firestartah May 24, 2016 3:12 AM (in response to TheLittleOne)For the certitifcates are they VMware self signed? Make sure you have added the certiifcates from the Model Manager to the proxy agent and vice versa to allow trust. adding the root certitifcate to both should allow this trust
-
8. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 24, 2016 6:03 AM (in response to firestartah)Hi firestartah,
to my enviroment, I have a production enviroment and a test enviroment, both have there own CA (so no VMware self signed certificates are used). The problem is testing the manager service host works fine and testing the model manager host fails but this is the same server but a different alias.
Can you help me to understand this please.
-
9. Re: Deploy a proxy agent and worker in a different domain
firestartah May 24, 2016 7:43 AM (in response to TheLittleOne)Foir the certificates did you add the alias' to the Subject Alternative Name field? Adding the root certitifcate to each side should then allow the trust between production and test.
-
10. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 24, 2016 7:55 AM (in response to firestartah)Yes I add the alias to the subject alternative name.
Adding the 'production' root certificate to my worker/agent on the test enviroment and adding the 'test' root certifictate to my two IaaS Server on the production enviroment right?
-
11. Re: Deploy a proxy agent and worker in a different domain
GrantOrchardVMware May 24, 2016 9:49 PM (in response to TheLittleOne)To be clear, the common name also needs to be in the subject alternate or you will see this behaviour.
Grant
-
12. Re: Deploy a proxy agent and worker in a different domain
TheLittleOne May 24, 2016 11:47 PM (in response to GrantOrchardVMware)Yes the common name is also in the subject alternate name.
-
certifikate.JPG 59.0 K
-
-
13. Re: Deploy a proxy agent and worker in a different domain
RebeccaW Feb 2, 2018 12:41 PM (in response to TheLittleOne)I'm having a similar issue. We have a vCenter in a different AD Domain and need to install a Proxy Agent to provision to that vCenter. We've installed that Proxy Agent server in the same domain as the vCenter and are trying to install the proxy agent. Getting the 401 when hitting Test for the Model Manager Web Service Host.
- Installed the 3rd Party obtained certificate for the Web onto the Proxy Agent server
- vRA is 7.3
- I do not believe these two AD domains have any trust between each other so the service account to run this Proxy Agent (as well as what we use to connect to the vCenter endpoint) is not the same one we use for our others.
Any Ideas? GrantOrchardVMware you mentioned it was just using certificates not the login.
-
14. Re:Deploy a proxy agent and worker in a different domain
ehlomarcus Feb 14, 2018 12:05 PM (in response to TheLittleOne)Hi
The assumption that the vSphere Proxy agent uses certificate for authorization is correct, but only in regards of the connection to Manager Service endpoint. Connection to the Repository on the Web endpoint still requires authentication by a user.
I solved both installation of the agent and connection to repository by using runas and some hidden command line for the VRMagent.exe
First I ran "runas /netonly /user:REMOTEDOMAIN\Useraccount cmd", then executed the setup exe and completed the installation.
Then I had to stop the windows service and then from a new command prompt run: "VRMagent.exe -Repo-SetCredetials -user SERVICEACCOUNT -password PASSWORD -domain REMOTEDOMAIN
Now it was possible to start the windows service again. Then you can enjoy running Inventory jobs etc on your Compute Resources and also deploy servers :)
//Marcus
-
vrmagent-commandline.jpg 261.3 K
-