VMware Cloud Community
sbrown218
Enthusiast
Enthusiast
‎01-20-2016 04:37 PM
Jump to solution

vRA 7 unable to configure AD authentication

I used the port 5480 configuration wizard and did a Minimal install.  The IaaS server is running 2012 R2 and has MSSQL 2012 Standard installed.  There are no configuration issues at all (green check marks all the way through) during the Wizard setup process.  Afterwards I run the vSphere Initial Setup service catalog item and there are no issues at all connecting to my vCenter server using an AD auth based account (user@domain).  Once the vSphere Initial Setup is done running and I have the VM template it found on my vCenter configured I then goto the Administration - Directory Management - Directories setup and proceed to bang my head into a wall.

Everything is on the same subnet, no firewall involved.  I am getting the following error -- connector communication failed with response: Request timed out.  I have tried Active Directory over LDAP & Active Directory (Integrated Windows Authentication). The Base DN and Bind DN configurations I am using all work when I click the Test Connection button.  I have seen various vRA 7 setup guides online (with screenshots even) and there has been no mention of any tricks or difficulty trying to get this to work properly. With vCloud Director & vCAC 6.2 I experienced no AD bind issues at all.  When I check my domain controller I do see that there has been a computer object created in the Computers OU but it is created as Disabled - I have tried to enable it but this doesn't help the issue.  I have rolled back to the suggested installation Snapshot multiple times now but always get stuck on this AD bind issue. 

Initially I was using PKI generated Domain SSL Certificates but on the last couple of attempts I have went with the Vmware generated certs within the appliance configuration wizard (to no avail).

Any help with this issue would be greatly appreciated.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
sbrown218
Enthusiast
Enthusiast
‎01-21-2016 06:52 AM
Jump to solution

Ah ha, okay this must be the purpose of the Server Location.

I unchecked "This directory supports DNS Service Location" and manually added a domain controller here.  Everything is working now. 

Thanks for pointing out where the logs were which helped troubleshoot this issue!

View solution in original post

0 Kudos
10 Replies
future2000
Enthusiast
Enthusiast
‎01-20-2016 06:11 PM
Jump to solution

Hi,

I've been having similar issues. We have a single forest, single domain and tried both AD over LDAP and AD Integrated. Eventually I was able to get my domain recognized.

Have a look at the connector, does it show a join domain or leave domain button?

Can you confirm 100% that the user account you are using has domain administrator privileges as well?

I managed to get our directory connected via Active Directory via LDAP although I had to leave the domain and then rejoin the domain twice before I was then able to see my domain! Since then I have attempted a sync and that has now been running for over 6 hours, despite only 160 groups need syncing in a subtree of my directory. I have no idea how long this should be taking!

Good luck!

0 Kudos
GrantOrchardVMw
Commander
Commander
‎01-20-2016 06:31 PM
Jump to solution

You only need to join the domain if you want to used Integrated Authentication, you can do AD over LDAP without it.

The fact that the computer account is created but disabled is interesting, it's not something that I've seen before.

If you could try over LDAP to validate then we can try and troubleshoot the integrated auth.

Grant

PS. Group sync is pretty expensive as an operation, so it may take a while.

Grant http://grantorchard.com
0 Kudos
sbrown218
Enthusiast
Enthusiast
‎01-20-2016 08:35 PM
Jump to solution

Yes when I look at the connector it has many times given me the option to Leave Domain, which I have used to try to start over.  The issue is even though it looks to have joined, the Sync option is never available because it tells me I need to configure the Domain.  I've messed around with it enough to where I can get to a page in the interface that shows me the Sync Options and there does seem to be a section where I would select the domain. But it never queries the domain to the point where it finds out what my domain name actually is, it just sits there and has a check mark next to the word Domain. I have gotten to where I was able to type in the BaseDN info for the groups I want to import - but it again errors out and tells me a Domain must first be configured. I ended up getting into the Connectors - Auth Adapters and it shows the status for all of them as Disabled.  If i go into PasswordIdAdapter I am able to see that it is filled out but does not have a server IP specified for the Domain Controller.  I've put an IP in there and flagged the PasswordIdAdapter as enabled, but still this has not worked.

Yes the account I am using to join the domain is a Domain Administrator.   I have 4 domain controllers in this subnet and have verified that dns is working properly on the vRA 7 Appliance.

0 Kudos
sbrown218
Enthusiast
Enthusiast
‎01-20-2016 08:38 PM
Jump to solution

AD via LDAP is how I initially had tried to configure this. The Base DN and Bind DN I configured the connection test said was correct.  But when I click the Save/Next button to goto the Select Domain screen which I think is next, it never gets there - this is where i get the Connection Timed Out message.

0 Kudos
GrantOrchardVMw
Commander
Commander
‎01-20-2016 11:28 PM
Jump to solution

Ok, so the place to look for more information is in your Horizon logs:

/storage/log/vmware/horizon/horizon.log

/storage/log/vmware/horizon/connector.log

Post up whatever you find - you may need to try to connect again in order to get updated messages in the log(s).

Grant

Grant http://grantorchard.com
sbrown218
Enthusiast
Enthusiast
‎01-21-2016 06:29 AM
Jump to solution

From the way it looks, and this would explain the connection timeouts - it is not taking into account the Active Directory Sites and Services configuration which should, based on the IP address/subnet this server is in, point it at the correct set of domain controllers.  I have 39 domain controllers across 63 subnets & 15 defined AD Sites.  According to what the connector.log is showing me its seemingly just starting randomly and going through all of my available Domain Controllers until it happens upon one that is in the subnet local to the vRA.  It should, and this is the purpose of AD Sites & Services, be immediately directed to the 4 dc's I have in the subnet the appliance is in.

According to the log it tried to connect to 9 different domain controllers before coming across one that is in the correct subnet.

log from one of the attempts -

Attempting to bind to INCORRECT.DOMAIN.CONTROLLER:389

2016-01-21 14:13:27,791 INFO  (tomcat-http--4) [3001@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.directory.ldap.LdapConnector - LDAP Context env Json Values: {

  "java.naming.provider.url" : "ldap://INCORRECT.DOMAIN.CONTROLLER:389",

  "java.naming.factory.initial" : "com.sun.jndi.ldap.LdapCtxFactory",

  "com.sun.jndi.ldap.connect.timeout" : "10000",

  "java.naming.security.principal" : "CN=MYSERVICEACCOUNT,OU=ServiceAccts,OU=UserAccts,DC=DOMAIN,DC=com",

  "java.naming.security.authentication" : "simple",

  "java.naming.security.credentials" : "",

  "com.sun.jndi.ldap.read.timeout" : "600000",

  "java.naming.ldap.attributes.binary" : "objectGUID pae-IconData objectSid securityIdentifier"

}

2016-01-21 14:13:37,803 WARN  (tomcat-http--4) [3001@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.directory.ldap.LdapConnector - Failed to connect to INCORRECT.DOMAIN.CONTROLLER:389

javax.naming.CommunicationException: INCORRECT.DOMAIN.CONTROLLER:389 [Root exception is java.net.SocketTimeoutException: connect timed out]

        at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)

        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)

        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1613)

        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)

        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

        at javax.naming.InitialContext.init(InitialContext.java:244)

        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

        at com.vmware.horizon.directory.ldap.LdapConnector.getLdapContext(LdapConnector.java:663)

        at com.vmware.horizon.directory.ldap.LdapConnector.createLdapContext(LdapConnector.java:995)

        at com.vmware.horizon.connector.admin.ConfigurationVerificationServiceImpl.verifyDirectory(ConfigurationVerificationServiceImpl.java:115)

        at com.vmware.horizon.connector.admin.controller.DirectoryController.verifyDirectoryConfigurationAgainstActiveDirectory(DirectoryController.java:250)

        at com.vmware.horizon.connector.admin.controller.DirectoryController.testDirectoryConfiguration(DirectoryController.java:225)

        at com.vmware.horizon.connector.rest.DirectoryRestController.testDirectoryConfig(DirectoryRestController.java:129)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:497)

        at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:781)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:721)

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:943)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:877)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at com.vmware.horizon.connector.mvc.FlashScopeFilter.doFilterInternal(FlashScopeFilter.java:45)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at com.vmware.horizon.common.filter.TenantContextFilter.doFilter(TenantContextFilter.java:87)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748)

        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486)

        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:411)

        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338)

        at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213)

        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171)

        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)

        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)

        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)

        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.net.SocketTimeoutException: connect timed out

        at java.net.PlainSocketImpl.socketConnect(Native Method)

        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

        at java.net.Socket.connect(Socket.java:589)

        at sun.reflect.GeneratedMethodAccessor799.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:497)

        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:350)

        at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)

        ... 86 more

^it actually does say "... 86 more" in the log, I didnt cut it here.

0 Kudos
sbrown218
Enthusiast
Enthusiast
‎01-21-2016 06:52 AM
Jump to solution

Ah ha, okay this must be the purpose of the Server Location.

I unchecked "This directory supports DNS Service Location" and manually added a domain controller here.  Everything is working now. 

Thanks for pointing out where the logs were which helped troubleshoot this issue!

0 Kudos
sbrown218
Enthusiast
Enthusiast
‎01-21-2016 07:06 AM
Jump to solution

So what does this do for domain controller redundancy?  Do I have to create 4 directory service configurations for this single Tenant so if there is a DC issue it will properly do lookups on a different DC?  From the way it looks it is currently pointed at a single dc.

0 Kudos
future2000
Enthusiast
Enthusiast
‎01-21-2016 01:09 PM
Jump to solution

Many thanks Grant. The sync did take a long, long time. 160 Groups, 3500 odd users. Took around 20 hours but its done now!

0 Kudos
GrantOrchardVMw
Commander
Commander
‎01-21-2016 01:37 PM
Jump to solution

That sounds like you may need to look at srv records, the purpose of that checkbox is exactly the redundancy you describe.

Grant

Grant http://grantorchard.com
0 Kudos