3 Replies Latest reply on Sep 23, 2017 10:05 PM by Mattallford

    AD Authentication Issue with vCenter

    ITaaP Enthusiast

      I have a vCenter Server Appliance with an external Platform Services Controller. Both on the latest build for version 6.0. AD authentication recently stopped working with the error message "Cannot complete login due to an incorrect user name or password." Occasionally I am able to login with AD credentials, but for the most part it keeps failing with the same error message.

       

      I've confirmed all the typical settings are correct. DNS, time, networking access to domain controllers, etc. All the services are running on the PSC. I removed the PSC from our AD domain, rebooted, then rejoined to our AD domain and rebooted. Reconfigured the Identity Sources and confirmed AD security group/permissions are correct. Still receiving the same logon failed error.

        • 1. Re: AD Authentication Issue with vCenter
          Mattallford Hot Shot
          vExpert

          Hi,

           

          How is your identity source configured?

           

          After an attempted log in is there additional information in /var/log/vmware/sso on the PSC?

           

          Cheers, Matt.

          • 2. Re: AD Authentication Issue with vCenter
            ITaaP Enthusiast

            The logs tell me I didn't look close enough at one of my domain controllers. There was a AD replication issue on the DC in that site. I resolved the replication issue, and now it seems to be working. But it makes me curious about a single point of failure. There are three sites using Linked-Mode. A couple of things I came across while troubleshooting.

             

            psc01:/var/log/vmware/sso # less /var/lib/likewise/krb5-affinity.conf

             

            [realms]

             

                NA.DOMAIN.COM = {

                    kdc = 10.14.10.24

                }

             

            krb5-affinity.conf only points to one domain controller. Can that files me manually modified to point to multiple domain controllers? I also read this.

            What happens when the PSC 6.0 server is down? How does this affect Enhanced Linked Mode (ELM)?

            If the PSC 6.0 server is down, you cannot log in to vCenter Server or any second party VMware products that depends on it. Existing connections and user sessions to the vCenter Server remains active, and the vCenter Server services remains up and running. However, once the session ends, if the PSC is still down, the user cannot log in again. Additionally, if the PSC is down and the vCenter Server's services are restarted, vCenter Server is unable to fully start until the PSC's services are restored or the vCenter Server is repointed to an operation PSC in the same vSphere Domain.

             

            Regarding an environment in which multiple PSCs are in the same vSphere Domain and Enhanced Link Mode is being used, if a PSC in which a vCenter Server is connected to fails, access to this vCenter Server through a different vCenter Server's vSphere Web Client is not possible. This is due to a user's SAML token from the vSphere Web Client being unable to be passed to the failed PSC, thus to vCenter Server. Unless the PSC is brought back online or vCenter Server is repointed to a different PSC in the same domain, users cannot access it.

            I realize that Linked-Mode does not give you additional protection by having multple PSCs in different sites, but that would be nice if VMware can accomplish it. Now I have to consider running two PSCs in each site for HA.

             

            I also find this interesting.

             

            Can I use snapshots against my PSC 6.0? How about image-based backups?

            You can snapshot a single Platform Services Controller so long as it does not exist in a multi-site or highly available configuration within a vSphere domain. This is due to the use of Update Sequence Number (USN) for replication, and when restoring a PSC via snapshot or image-based backup, the sibling nodes are out of sync.

            Not that I am surprised about causing sync issues as I wouldn't restore a domain controller either when others are available. But last time I was troubleshooting a PSC issue with VMware Support, they kept having me take snapshots of the PSC in my "multi-site" setup. Sure glad we didn't revert any snapshots.

            • 3. Re: AD Authentication Issue with vCenter
              Mattallford Hot Shot
              vExpert

              Hi there,

               

              Glad you got to the bottom of your issue.

               

              Yeah, to work around PSC failure you either need to deploy 2 in each site and manaually repoint VC, or use a load balancer.

               

              in regards to snapshot restore, that may be outdated information. See snippet below from Getting Comfortable with vPostgres and the vCenter Server Appliance - Part 1 - VMware vSphere Blog

               

              "In 6.0 U1 and later, a restored PSC will be able to resynchronize itself with its replication partner(s)."

               

              Cheers, Matt.