VMware Cloud Community
N7Valiant
Contributor
Contributor

Does Credential-Less Service Discovery actually work? (vROPs 8.2 + vSphere 6.7)

So we had a new shiny vROPs 8.2 at work along with vSphere 6.7 (which isn't as bad as it sounds given we were coming off of 6.0), I was digging into what it can do with this new version.

I came across this blog and got excited:

Credential-Less Service Discovery with vRealize Operations - VMware Cloud Management

vROPs v8.2 specifically works with vSphere 6.7, or so it is claimed.  But my failure to get it working has made me a skeptic as I'm constantly seeing "VM authentication status is failed" and "No data receiving" on the collector.

I then went home where I have a simple homelab (ESXi, vCenter, and vROPs sitting on an Intel NUC 10) and duplicated the setup and the symptoms.

Products and Versions (homelab, all evaluations):

-vCenter 6.7 Build 17028632

-vROPs 8.2

-ESXi 6.7 17167734

-VM Tools 11.1.1

-Windows Server 2019 Core

-Windows 10 1909 Enterprise

 

I carefully configured privileges as described here:

Privileges Required for Configuring a vCenter Adapter Instance (vmware.com)

And here:

Configure Service Discovery (vmware.com)

 

I'm seeing multiple log entries such as:

[5605] 2021-02-03T13:19:00,251+0000 ERROR [pool-23-thread-2] (60) com.vmware.adapter3.applicationdiscovery.activeprobe.controller.DiscoveryTaskRunner.runNetworkProbes - [192.168.50.53] Received authentication error from VM : EDEN-PAW-01. Ignoring rest of the probes
[5606] 2021-02-03T13:19:00,284+0000 ERROR [pool-23-thread-2] (60) com.vmware.adapter3.applicationdiscovery.guestoperation.impl.WindowsRemoteGuestOperationImpl.runProgramInGuest - [ Host: 192.168.50.53, VM moid: vm-14] Failed to start Program in Guest
[5607] com.vmware.vim.binding.vim.fault.InvalidGuestLogin: Failed to authenticate with the guest operating system using the supplied credentials.

I did supply guest credentials for 1 VM (the DC) and that worked as Service Discovery sees it running as "Guest Alias" instead of "Credential-less" like I was expecting.  I can't seem to get rid of the saved credentials to test further (deleted vCenter adapter and all objects, overrode prior registration when adding it back).  But the Windows 10 VM that I did not supply credentials to is stubbornly failing.

I do see the option to use Credential-less in the Service Discovery adapter and have tried flipping it off and on again, stopping and starting collection.

I then threw the baby out with the bathwater and added the service account to "Administrators" role in vCenter.  It is not a permissions problem.

 

My layman's interpretation of the logs and symptoms is telling me that vROPs is not even attempting to use credential-less service discovery.

Has anyone ever managed to get this working?

Reply
0 Kudos
10 Replies
ScottThomson
Contributor
Contributor

Hey mate

Looks like expected behaviour, its trying and failing then falling back to creds, so like you said, permissions issue, plugin issue, all your build #s seem to be supported.

I'm sure you have seen this post, https://kb.vmware.com/s/article/78216

SDMP first tries to discover services without credentials and falls back to the legacy mode (credential based mechanism) if credential-less mechanism fails for any reason

I will be looking into this scenario in another month, hope not to run into any issues, good to keep tabs on this.

On the guest O/S, is there an ability to install the Service Discovery Plugin via the tools?  Where is that located?

In the log you showed, first line is crying over a credential, could the second line be the plugin? and the 3rd the fallback?

Would be great to keep up with this.

vRealize Operations 8.2.x

  • VMware Tools Service Discovery plugin is installed and enabled
  • VMware Tools version 11.1.0 (using ss), 11.1.5, or 11.2.0 for Linux VMs.
  • VMware Tools version 11.1.0 or above for Windows VMs.
  • vCenter is not a VMC
  • vCenter version = 6.7u3g and above
  • ESXi version = 6.7p2, or 7.0 and above
  • VM hardware version = 9 or above
  • vCenter user that is used to configure the SDMP adapter instance has the following privileges:
      VirtualMachine.Namespace.Management
      VirtualMachine.Namespace.Query
      VirtualMachine.Namespace.ModifyContent
      VirtualMachine.Namespace.ReadContent
      VirtualMachine.Namespace.Event
      VirtualMachine.Namespace.EventNotify
Reply
0 Kudos
N7Valiant
Contributor
Contributor

I further confirmed with supplying credentials on an individual basis (which results in "Guest Alias" status) and providing Common Credentials to the vCenter adapter (which results in "Common Credentials" status).  It seems to be especially damning when this symptom is also manifested for both the vCenter and vROPs appliances (both are "VM authentication status is failed").  I'd probably conclude that credential-less service discovery was oversold and not functional despite being advertised as such.

Reply
0 Kudos
ScottThomson
Contributor
Contributor

Hey mate

I am about to do this in the next few months, keen to know the answer jic.

I'm sure you have seen this one...https://kb.vmware.com/s/article/78216


Some thoughts, you probally already been through this?

The plugin is enabled? https://docs.vmware.com/en/VMware-Tools/11.1.0/com.vmware.vsphere.vmwaretools.doc/GUID-ADC00685-CB08...

 

You mentioned the service account in the administrators group, is that a domain account? or local vCenter account?

Is UAC disabled on the guest machine via the registry and machine rebooted?

 

vRealize Operations 8.2.x
VMware Tools Service Discovery plugin is installed and enabled
VMware Tools version 11.1.0 (using ss), 11.1.5, or 11.2.0 for Linux VMs.
VMware Tools version 11.1.0 or above for Windows VMs.
vCenter is not a VMC
vCenter version = 6.7u3g and above
ESXi version = 6.7p2, or 7.0 and above
VM hardware version = 9 or above
vCenter user that is used to configure the SDMP adapter instance has the following privileges:
      VirtualMachine.Namespace.Management
      VirtualMachine.Namespace.Query
      VirtualMachine.Namespace.ModifyContent
      VirtualMachine.Namespace.ReadContent
      VirtualMachine.Namespace.Event
      VirtualMachine.Namespace.EventNotify


This one is old but with a read, https://www.storagegumbo.com/2017/05/vrops-and-service-discovery-new.html

 

 

 

 

Reply
0 Kudos
KabirAli82
Expert
Expert

Hi,

Be sure you meet al the pre-requisites as described here;

https://kb.vmware.com/s/article/78216?lang=en_US&queryTerm=Credential-Less

 

 


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos
JoeConsultant
Contributor
Contributor

I also tried the credential-less service discovery as well with no joy (vROps 8.3 on vSphere 6.7/17137327 and most guests with vmTools 11.2.5).  Trying to see if I can get any traction with an SR - if nothing else, maybe it will be one more ticket to shore up the functionality in a future update.

Reply
0 Kudos
KabirAli82
Expert
Expert

.


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos
JoeConsultant
Contributor
Contributor

Thanks for the reply, however, the KB lists the following (copy/paste):

<snipped first half of the KB as I'm running 8.3>
...

vRealize Operations 8.2.x and Later

  • VMware Tools Service Discovery plugin is installed and enabled
  • VMware Tools version 11.1.0 (using ss), 11.1.5, or 11.2.0 for Linux VMs.
  • VMware Tools version 11.1.0 or above for Windows VMs.
  • vCenter is not a VMC
  • vCenter version = 6.7u3g and above
  • ESXi version = 6.7p2, or 7.0 and above
  • VM hardware version = 9 or above

 

Not sure which prereqs I'm missing.

Reply
0 Kudos
KabirAli82
Expert
Expert

Whats your ESXi build?


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos
JoeConsultant
Contributor
Contributor

Nearly all hosts are version 6.7 at build 17499825 with a few that are holdouts at 17167734 due to environmental issues.  I think they're all within specs.  And i'm sure several legacy guests are not at hardware v9 although 90%+ are newer; but i'm seeing no return of data (failed in the vROps Administration -> Inventory -> Manage Services view).  

Reply
0 Kudos
KabirAli82
Expert
Expert

And I think thats were you went wrong.

For 6.7 only p2 is supported. From 7.0 forward you can use any new update/patch. But for 6.7 you have to be on p2 (16075168)

Mind the *or* in:

  • ESXi version = 6.7p2, or 7.0 and above

 


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos