Some time ago I attempted to install the first external PSC on Windows into my existing multi-site 5.5 SSO. Despite effort i could not get it to complete successfully so gave up, used a PSC appliance, moved the rest of the environment to 6.0 and all has been well since. I forget what the exact problem was.
Zoom forward to today, all is working. I have 2x external PSC appliances and 2x VCSA appliances.
I attempted to upgrade to Update 1 but despite successful upgrades of PSCs and VCSAs I could not get the web client to load up after login (legacy client worked fine). "An internal error has occurred - index 0 out of bounds'. Web-client log files kept showing errors about not being able to contact this stale\old Windows PSC. I was under pressure to get access to vCenter back so i rolled back to snapshots i took before starting upgrade and all is well with the world again.
Before attempting to upgrade again I would like to clear up this stale record but am having trouble. I've been through KB2106736 but i get the following error:
cmsso-util unregister --node-pnid Old-PSC --username administrator@vsphere.local --passwd sso_pwd
Could not find a host id which maps to Old-PSC in Component Manager
Failed!!!
I also try the following but get the below error:
/usr/lib/vmware-vmdir/bin/vdcleavefed -h Old-PSC -u administrator -u sso_pwd
fdcleavefd offline for server Old-PSC
Leave federation cleanup failed. Error[13] - Confidentiality required.
I have run the above commands on both my PSC appliances with the same result.
Any ideas before I open a support case?
Thanks.
Dave
Make sure first the PSC is powerdown and try by proper FQDN name.Mostly below error will come only if the IP or FQDN name failed to search..
or try this command with proper FQDN name /usr/lib/vmware-vmdir/bin/vdcleavefed -h -u [-w ] ( Refer VMware KB 2114233 )
VMware KB: Attempting to join an Appliance-based Platform Services Controller or vCenter Server t...
Leave federation cleanup failed. Error[13] - Confidentiality required.
This could be because the stale entry does not exist for the PSC/vCenter installation from the previous/failed installation attempt.
In my case PSC is showing in the Nodes but still it is failing with the error as " Confidentiality required " so I just re-installed the PSC with the same name and then successfully cleaned the PSC ..
Did you ever get this fixed? I am having same issue.
@GaneshsekarbabuGaneshsekarbabu
Could you explain it more widely " I just re-installed the PSC with the same name and then successfully cleaned the PSC" ?
Regards,
Piotr
I had the same issue.
I was able to run cmsso-util unregister without errors, but I didn't get the full output I was supposed to.
I ran vdcleavefed but got the confidentiality error, or failed with an LDAP error in the logs.
I used this guy's advice to connect to my vsphere's LDAP.
http://www.electricmonk.org.uk/2017/03/07/using-jxplorer-to-connect-to-vsphere-psc-server/
When I went there, I saw that my PSC's each had a replication agreement with the defunct PSC, and not with each other.
I used vdcrepadmin -f createagreement to create a replication agreement between the two remaining PSC's.
It sorta looks like that's what was keeping the ghost of the old PSC around. After I fixed the replication agreement, I ran vdcleavefed and the old PSC went away.
- t2
psc03:~ # /usr/lib/vmware-vmdir/bin/vdcleavefed -h psc02.alex.local -u administrator -w SSO-Admin-Pwd
change your psc name and try this command
This is a good solution, I have same problem and I saw that my PSC's each had a replication agreement with the defunct PSC, and not with each other.
But I can not recreate a replication agreement between the two PSC's because one PSC is down and I get this error when I try to create agreement.
vdcrepadmin failed. Error [Server down] [9127]
Any ideas ?
@cabernocht wrote:I had the same issue.
I was able to run cmsso-util unregister without errors, but I didn't get the full output I was supposed to.
I ran vdcleavefed but got the confidentiality error, or failed with an LDAP error in the logs.
I used this guy's advice to connect to my vsphere's LDAP.
http://www.electricmonk.org.uk/2017/03/07/using-jxplorer-to-connect-to-vsphere-psc-server/
When I went there, I saw that my PSC's each had a replication agreement with the defunct PSC, and not with each other.
I used vdcrepadmin -f createagreement to create a replication agreement between the two remaining PSC's.
It sorta looks like that's what was keeping the ghost of the old PSC around. After I fixed the replication agreement, I ran vdcleavefed and the old PSC went away.
- t2