VMware Cloud Community
vSeanClark
Enthusiast
Enthusiast
‎03-31-2015 08:41 AM
Jump to solution

Can't see Compute Resource in vRA even though vSphere Agent log shows a cluster

I'm debating on whether the question should be does minimal vRA install require anonymous authentication in IIS?  Or am I crazy?  I'll let you choose how to answer.

This is a fresh new vRA 6.2.1 minimal install with identity applice, vRA appliance and a single Win2012R2 server for all the IaaS roles. Everything when smooth and the pre-req checker was happy prior to install. 

However, when I went to add an endpoint yesterday for the vSphere-Agent I installed, I get the following error in the vRA logs:

Exception occured when retrieving work from VRM: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM,Negotiate'. Inner Exception: The remote server returned an error: (401) Unauthorized.

Does a minimal install use Anonymous authentication??  The pre-req checker just had has disable that, and instead use Windows Authentication with providers of the following order: NTLM, Negotiate.  Hmmm...., well maybe I'll enable anonymous and restart vSphere agent and see what happens.  I restart the agent and now I don't receive an error about authentication, and the following from the vSphereAgent.log seems to say that the endpoint is communicating and returning a cluster from the vCenter:

[3/31/2015 10:22:08 AM] [Debug]: Thread-Id: 10 - Ping Sent Successfully : [<?xml version="1.0" encoding="utf-16"?><pingReport agentName="vSphereAgent-XXXXXX" agentVersion="6.2.0.0" agentLocation="VRAIaaSServer01" WorkitemsProcessed="0"><Endpoint externalReferenceId="F86349A2-B8D7-4E17-9599-CC4F5C9E94B3" /><Nodes><Node name="ClusterName" type="Cluster" identity="XXXXXX.mydomain.com/vCenter 5.5 Test/host/ClusterName" datacenterExternalReferenceId="datacenter-21" isCluster="True" managementEndpointId="72195415-bdb6-4f7a-a3ac-92b9c4eca960" /></Nodes><AgentTypes><AgentType name="Hypervisor" /><AgentType name="vSphereHypervisor" /></AgentTypes></pingReport>]

[3/31/2015 10:22:08 AM] [Debug]: Thread-Id: 10 - Ping Report Completed

However, when I browse to Compute Resources under the endpoint, vRA shows no clusters.

What is going one? Am I going crazy?   Well, maybe,  But actually part of the problem is that compute resources don't show up where you would think, until you go to Groups - Fabric Groups and then check the clusters you would like vRA to use.  Now when you browse back to Compute Resources the select cluster will show up.  {shakes head and face palms}

So, the lesson is don't forget the Fabric Group section when adding and/or subtracting compute resources.  Also, there may just be orphaned compute resources in the database.  The following KB can help resolve that issue.  VMware KB: Deleting an endpoint in vRealize Automation fails with the error: This endpoint is being ...

Hopefully this helps some who may run into issues adding compute resources from a vCenter Endpoint.

Sean Clark - http://twitter.com/vseanclark
1 Solution

Accepted Solutions
sbeaver
Leadership
Leadership
‎03-31-2015 12:10 PM
Jump to solution

Hey Sean,

Ok on one my IIS servers

At the host server level Anonymous Authentication is the only authentication that is enabled

Moving forward into the sites - Default Web Site --  Windows Authentication is the only thing enabled

For the Repository -- Anonymous and Windows Authentication are enabled

for the vcac -- Forms Authentication is the only one enabled

For the WAPI -- Anonymous and Windows Authentication are enabled

Does that help?

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

View solution in original post

0 Kudos
7 Replies
sbeaver
Leadership
Leadership
‎03-31-2015 09:11 AM
Jump to solution

Sean,

What is going one? Am I going crazy? Not sure you want me or this group to answer that question for you   Smiley Happy



Steve

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
SeanKohler
Expert
Expert
‎03-31-2015 09:15 AM
Jump to solution

Lol...

Option 2?

:smileygrin:

vSeanClark
Enthusiast
Enthusiast
‎03-31-2015 11:57 AM
Jump to solution

My serious question is does the minimal vRA installation (all IaaS roles shared on a single windows box) require anonymous authentication at the IIS level?  I could not get my vCenter endpoint to connect without error until I enabled anonymous authentication in IIS.

Sean Clark - http://twitter.com/vseanclark
0 Kudos
sbeaver
Leadership
Leadership
‎03-31-2015 12:10 PM
Jump to solution

Hey Sean,

Ok on one my IIS servers

At the host server level Anonymous Authentication is the only authentication that is enabled

Moving forward into the sites - Default Web Site --  Windows Authentication is the only thing enabled

For the Repository -- Anonymous and Windows Authentication are enabled

for the vcac -- Forms Authentication is the only one enabled

For the WAPI -- Anonymous and Windows Authentication are enabled

Does that help?

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
SkyCoop
VMware Employee
VMware Employee
‎03-31-2015 12:54 PM
Jump to solution

Is the proxy agent running under a service account that is a local administrator? Can you see the cluster in the Fabric Group? Until you add it to the fabric group, it won't appear in compute resources.

When you do a distributed install, the Web components use Windows Authentication, the manager service does not. The proxy agent is old legacy SOAP communication done to the manager service, so I would guess that the VMPS2 directory (haven't looked) in IIS Manager, shows as anonymous is enabled or should show as anonymous for a non-distributed install?

0 Kudos
vSeanClark
Enthusiast
Enthusiast
‎03-31-2015 01:36 PM
Jump to solution

Sky, yes, it is admin.  And yes, I can find the cluster under the fabric group now.  But the agent didn't return a cluster (according to the vSphereAgent log) until I had changed the auth to enable anonymous. 

Sean Clark - http://twitter.com/vseanclark
0 Kudos
vSeanClark
Enthusiast
Enthusiast
‎03-31-2015 02:41 PM
Jump to solution

I have the same....now.  But after I got done following the pre-req checker's task list, I did not have Anonymous enabled for the server and the default web site.. 

I think the answer is you need some anonymous for a complete IaaS install to work proper with a vCenter endpoint.

Cheers!

Sean Clark - http://twitter.com/vseanclark
0 Kudos