VMware Cloud Community
eb8945
Contributor
Contributor
‎08-04-2018 06:12 PM

vsphere 6.5 identity source AD as LDAP - broken

Hello all,

We did a in-place upgrade from version 6.0 to version 6.5 and recently wanted to take advantage of the Active Directory 2012R2 feature of the "Protected Users" group.  After adding our privileged accounts into this group we realized we could no longer login to vcenter.  We were receiving an error message basically saying the password was incorrect.

I stumbled upon this VMware KB Article: VMware Knowledge Base  which I think explains the issue we are having.

We are trying to implement option 3 listed in that KB.... However, just trying to make any change that Identity Source results in me receiving the error message noted in the KB: "A vCenter Single Sign-On service error occurred".

It doesn't seem to matter what I do.. we receive that message.  Even trying to edit the current Identity Source and change it to LDAP only with no SSL -- I still receive that message.

Has anyone run into this issue?

Reply
0 Kudos
6 Replies
Vijay2027
Expert
Expert
‎08-04-2018 06:32 PM

Did you find anything interesting in ssoAdminServer.log (/var/log/vmware/sso)

Also, have you tried removing and re-adding the identity source. (Please take snapshot)

Reply
0 Kudos
rchaubey
Enthusiast
Enthusiast
‎08-04-2018 07:50 PM

Hello,

I have seen one of the community article for AD authentication. Please check if it can help you .

After upgrade to 6.5 update 1 broken AD authentication

if you problem will not resolve please share log with us .

Regards

Randhir

Please, don't forget the awarding points for "helpful" and/or "correct" answers.

Reply
0 Kudos
eb8945
Contributor
Contributor
‎08-05-2018 10:16 AM

I'm basically receiving the same errors in the ssoAdminServer.log that the KB says.  I changed the username to: <USRNAME> and the domain to <DOMAIN>.

This error was generated when I tried to specify one domain controller without security on port 389, did not check the box for SSL.

[2018-08-05T13:09:46.929-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58195-ngc:70002579 INFO  com.vmware.identity.vlsi.RoleBasedAuthorize

r] User {Name: <USRNAME>, Domain: <DOMAIN>} with role 'Administrator' is authorized for method call 'ServiceInstance.retrieveServiceCont

ent'

[2018-08-05T13:09:46.955-04:00 pool-4-thread-2 opId=IdentitySourceWizard-apply-58196-ngc:70002579 INFO  com.vmware.identity.vlsi.RoleBasedAuthorize

r] User {Name:  <USRNAME>, Domain:<DOMAIN>} with role 'Administrator' is authorized for method call 'IdentitySourceManagementService.upd

ateLdapAuthnType'

[2018-08-05T13:09:46.955-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 INFO  com.vmware.identity.admin.vlsi.IdentitySour

ceManagementServiceImpl] [User {Name: <USRNAME>, Domain:<DOMAIN>} with role 'Administrator'] Updating the authentication type of ldap i

dentity source with name '<DOMAIN>' to 'password'

[2018-08-05T13:09:47.011-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 ERROR com.vmware.identity.admin.server.ims.impl.I

dentitySourceManagementImpl] 'IdentityStore certificates' value should not be empty

[2018-08-05T13:09:47.011-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 ERROR com.vmware.identity.admin.vlsi.IdentitySour

ceManagementServiceImpl] 'IdentityStore certificates' value should not be empty

java.lang.IllegalArgumentException: 'IdentityStore certificates' value should not be empty

        at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:602) ~[sso-

adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:298) ~[sso-adminserve

r.jar:?]

        at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:286) ~[sso-adminserve

r.jar:?]

        at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:160) [sso-adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl.updateLdapAuthnType(IdentitySourceManagementServiceImpl.java:286) [ss

o-adminserver.jar:?]

        at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source) ~[?:?]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_162]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]

        at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:65) [vlsi-server.jar:?]

        at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server.jar:?]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_162]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_162]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

Reply
0 Kudos
eb8945
Contributor
Contributor
‎08-05-2018 10:20 AM

I have not tried removing and re-adding the identity source but was going to and will snapshot the environment vcenter & pscs.  This is currently in our Test environment... if the fix is remove and re-add the identity source I don't think that's really going to be a very good option for our production environment.  We have a lot of delegation of rights configured.

Reply
0 Kudos
Vijay2027
Expert
Expert
‎08-05-2018 10:26 AM

How was the identity source configured in 6.0?
Was it AD over LDAP or IWA??

Reply
0 Kudos
eb8945
Contributor
Contributor
‎08-05-2018 10:32 AM

AD over LDAP... and the current configuration shows we had it configured for secure connections on 636.  The current configuration is working but I have to believe it is actually falling back to 389 at this point.  I have not put wireshark out on the network to verify that yet.

Preview file
16 KB
Reply
0 Kudos