VMware Cloud Community
Martell
Contributor
Contributor
Jump to solution

vCenter / Orchestrator configuration problem

Hi,

While setting up vCenter Server and configuring Ochestrator, I have got into trouble to finish it. I am not able to find any user that is a member of the vCO Administration group for completing the Plug-ins section that is needed for Startup Options. On the other hand Orcestrator Server cannot be run for adding a user into the Administration group (assuming that this is the place it should be done from) wihout completing first the Startup Options section in the Web Configuration.

The Orchestrator Installation and Configuration Guide dos not make clear how to make a user a member of the Administration group before the Administrator has been started, however, it says "Enter the credentials for a user who is a member of the Orchestrator Administrator group". I have tried the default user (vmware), the user I configured in the AD for running vCenter Server service and the local administrator but it keeps giving the error "Bad credential for plugin installation. Cannot login user : vCenter, user unkown"

Any help is appreciated how to go on with that situation.

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

Hi Martell,

I am sorry to hear that you are having trouble with the configuration.

Let me see if I could clear up what the relationships are here.

1. The username you used to login to the configurator is not related to any of the configuration in the configurator.

2. The plugin username in the plugin needs to be in the AD group that you specified in the LDAP tab under vCO admin group. Here is my sample config for the vCO admin group: "CN=vco-admin,CN=Users,DC=pm-vco,DC=local"

I would guess that if you add the service account you use in running vCenter Server to the vCO admin group listed above you will be ok.

Let us know if this works.

Sia

View solution in original post

Reply
0 Kudos
10 Replies
admin
Immortal
Immortal
Jump to solution

Hi Martell,

I am sorry to hear that you are having trouble with the configuration.

Let me see if I could clear up what the relationships are here.

1. The username you used to login to the configurator is not related to any of the configuration in the configurator.

2. The plugin username in the plugin needs to be in the AD group that you specified in the LDAP tab under vCO admin group. Here is my sample config for the vCO admin group: "CN=vco-admin,CN=Users,DC=pm-vco,DC=local"

I would guess that if you add the service account you use in running vCenter Server to the vCO admin group listed above you will be ok.

Let us know if this works.

Sia

Reply
0 Kudos
malaysiavm
Expert
Expert
Jump to solution

this is absolutely pain for everyone who try to configure it. Best way is to get someone who is familar with AD or LDAP to work together on that part

Craig

vExpert 2009

Malaysia VMware Communities -

Craig vExpert 2009 & 2010 Netapp NCIE, NCDA 8.0.1 Malaysia VMware Communities - http://www.malaysiavm.com
Reply
0 Kudos
Martell
Contributor
Contributor
Jump to solution

Thanks for the prompt reply, it really helped! The problem was that I didn't really create a group in the AD. After I created the group VCO-ADMIN and put the LDAP path of it into the LDAP part of the configuration, I succeeded in completing the configuration.

The only thing that remained is that for the plugin installation configuration not else that my personal username and password really worked. The account that I created for the vCenter Server service (as a domain user in the AD and a member of the local administrators group of the server that holds the vCenter Server) does not work. It keeps saying that the user is unknown, however I made it a member of the VCO-ADMIN group (there is 2 members in the group: me and vCenter). If I try to make a search from the LDAP configuration, it says "No matches found for: CN=VCO-ADMIN,OU=Groups,DC=mydomain,DC=com" The path is correct because I copied it from the AD Explorer utility that browses the new group object correctly.

Maybe my personal credentials work because I am a domain admin but why does not work the other user?

If you would have any idea I would be thankful!

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

I am glad it worked for you. Can you try to go into the LDAP tab.

On the right part of the screen, you should see a tab "test login". Here, you can put in the credential and test it. You should just use the username here instead of the DN of the user. If the test is successful, you should see

"User logged in successfully : username

User is member of vCO administration group."

Reply
0 Kudos
Martell
Contributor
Contributor
Jump to solution

Yes, I tried to log in, there are the results for 3 different users:

vCenter - "Cannot login user : vCenter, user unknown" (however, the user "vCenter" can log in to the terminal servers of the domain - so, the account is good and not locked up or smth)

my account - "User logged in successfully : myAccount User is member of vCO administration group"

a test account - "User logged in successfully : testuser User is NOT a member of vCO administration group" (I made it just for testing purposes, it's an AD domain user with no special privileges)

Any futher ideas?

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Hi Martell,

Thanks for being patient.

Are you sure that vCenter is a part of the VCO-admin group and that there is nothing like a GPO (group policy) that prohibits it from logging in from that server?

Cheers,

Sia

P.S. i will be signing off since it's a bit late here in Europe. I will pick back up on Monday to follow up with you. Good luck.

Reply
0 Kudos
Martell
Contributor
Contributor
Jump to solution

Hi and thanks for wishing to help!

Yes, it's a little bit late here in Europe, I'm from France, but I've used to work late and very late.

I am sure the vCenter is a part of VCO-admin group and even if it would not be, it should not be a problem, as the login test tool in the LDAP tab did clearely show if a user was not a member but it did still work (look at my last reply where the third user "testuser" was not a member of the VCO-admin group had a positive result). According to my tests the problem is not the password, too. As in my earlier message, the wrong password gives another error within the login test tool.

Yes, I'm sure there is not any GPO that could prohibit the user logging in - I can login to the server via the Romote Desktop and I can also make LDAP requests from that server as the user "vCenter".

Sure I can wait till monday and I will meet you then, thanks again and have a nice weekend!

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

I am a bit perplexed here.

You say "vCenter" can login and is a valid user.

The test tool works with other users as expected, but can't even find the "vCenter" user.

I tested three accounts as well:

1. domain admin and part of vco-admin group: siayiu. "User logged in successfully : admin-1

User is member of vCO administration group." tested fine at plugin screen.

2. Domain user and part of vco-admin group: admin-1 "User logged in successfully : admin-1

User is member of vCO administration group." tested fine at plugin screen.

3. Domain user and NOT part of vco-admin group but under my user lookup base in the LDAP config portion: user-1 "User logged in successfully : user-1 User is NOT a member of vCO administration group." tested at plugin screen with error:

" Bad credential for plugin installation"

As I went through this exercise, it dawned on me to ask you to check that vCenter user is in the user look up base un the LDAP config tab.

Sia

Martell
Contributor
Contributor
Jump to solution

Hi,

This is genial! However I have not tried it yet but I kow that the problem is the path - the vCenter user is created in another container where the other sustem accounts are. I somehow guessed that the vCO Admin group path is good enough to find a user that is a member of that group. But it's not so.

Sometimes the most difficult problems have the simpliest solutions! Too often we don't see what is under our nose. How I didn't find it out by myself - 20 years of AD administration turnes to zero. But, then again, I love the co-operation with other specialists (like you), it is so developing and widening!

Thank you again, I wish you the very best!

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Hi Martell,

I am glad it will work out for you. Enjoy the trip in Orchestrator. Let us know if you have any questions on workflows.

Cheers,

Sia

Reply
0 Kudos