VMware Cloud Community
Gonzouk
Enthusiast
Enthusiast
‎10-20-2015 11:22 PM

VCSA can't add Win 2012 as an identity source

Hello,

I have installed VCSA 5.5 and I am trying to add a Win2012 Domain Controller as a identity sourcesource.

When I try an add it I get the message

Error:

The "Add identity source" operation failed for the entity with the following error message.

The host is required to join to domain [domain.local] but joined to [null]

I've Google this and tried some suggestions with no success.   VCSA can ping the DC and visa versa.   On the administration page for VCSA the host name is the host name with the domain name.

Maybe someone has an idiots guide to set this up or have had issues like this?  I've used vcenter on a server before and this was fine,  I've not used an appliance before.

Thanks

0 Kudos
5 Replies
npadmani
Virtuoso
Virtuoso
‎10-20-2015 11:35 PM

Here is the KB that you need to resolve this issue

VMware KB: Adding an Active Directory identity source in vCenter Single Sign-On 5.5 fails with the e...

since you have mentioned in your Post that you have already tried searching solution on google, you might have already come across this KB, if that is the case, still solution lies within that KB, you got to make sure that your VCSA is joined successfully to AD Domain

create SPN using following KB

VMware KB: Creating and using a Service Principal Account in vCenter Single Sign-On 5.5

and try to add Identity source, using that SPN, process for that is also listed above KB.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos
Gonzouk
Enthusiast
Enthusiast
‎10-21-2015 01:14 PM

Still no luck I'm afraid:

I've used this:

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2...

and

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2...

I then went to https://192.168.0.112:9443  then Administration > Single Sign On > Configuration > AD (integrated Windows Authentication) and use the SPN add the info and I get

"To support Native AD, the host is required to join the domain"

I'm sure I have, but how do it do this?

I have gone to https://192.168.0.112:5480 what should I have under SSO?

Not sure what to do next.

Thanks

0 Kudos
Gonzouk
Enthusiast
Enthusiast
‎10-21-2015 01:52 PM

I am using the correct password as I just logged in as it on a Windows server, but the log file shows this:

Error: LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]

The password is incorrect for the given username
2015-10-21 20:45:38 11865: VC_CFG_RESULT=302
2015-10-21 20:45:38 11865: END execution
2015-10-21 20:45:49 12281: START locking... /usr/sbin/vpxd_servicecfg ad write
2015-10-21 20:45:50 12284: [12281]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'vca@gonzo.local' CENSORED 'gonzo.local'
2015-10-21 20:45:50 12284: Testing domain (gonzo.local)
2015-10-21 20:45:51 12284: Enabling active directory: 'gonzo.local' 'vca@gonzo.local'
2015-10-21 20:46:13 12284: ERROR: Enabling active directory failed: Joining to AD Domain:   gonzo.local
With Computer DNS Name: vca.gonzo.local


Error: LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]

The password is incorrect for the given username
2015-10-21 20:46:14 12284: VC_CFG_RESULT=302
2015-10-21 20:46:14 12284: END execution

0 Kudos
Gonzouk
Enthusiast
Enthusiast
‎10-21-2015 02:52 PM

Got further!  My password had a # in it and now the VCSA is part of the domain, I had to restart the appliance too, but after the reboot I opened the web client and logged in as administrator@vsphere.local and under Administration the configuration > single sign on options are gone!

What should I do?

0 Kudos
npadmani
Virtuoso
Virtuoso
‎10-21-2015 08:26 PM

It's little strange that you lost SSO admin capability.

do you remember doing some activity in group called Administrators under Groups tab in SSO configuration, normally administrator@vsphere.local is default member of that group and that's how it's an administrator of SSO.

please reboot your VCSA once again and login again in web client using administrator@vsphere.local account to see if you get SSO administration again.

also Did you check under VAMI 5480, that your VCSA has successfully joined ad domain.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos