Any help appreciated.
We are in the process to setup new vCenter 6.5 for our Pre-prod
2 PSC Appliances deployed and configured under F5 Load balancer
I'm trying to install vCenter server using the VIP of PSC and got this error message.
Please find the certificate details from PSC (both have same details)
data removed to avoid compliance issues
Thanks for your efforts to analyze this issue:
VIP FQDN as the common name, and all the names including real nodes in the SAN - yes we used VIP FQDN
can you help me to clarify real nodes in the SAN???
In the Subject Alternative Name (SAN) feature of the certificate, you must list the hostnames of the real nodes as well. This is stated in KB 2147627 so be sure to follow that guide. You also want to ensure you're following the guide on proper F5 configuration guidelines for the PSC VIP.
We followed the given KB's and going to open a case with VMware support
VMware GSS response: if you are following this post
Looking at the logs provided, it appears that vCenter is failing to properly authenticate to the vmdir service on the PSCs. We see this in the vmdird-syslog logs on PSC1 which was primary at the time:
17-12-28T04:08:36.194990+00:00 err vmdird t@140310692730624: VmDirSendLdapResult: Request (Add), Error (68), Message (BEEntryAdd (9706)((MDB_KEYEXIST: Key/data pair already exists)(cn=host/XXXXXXXXXXXX@vsphere.local,cn=managed service accounts,dc=vsphere,dc=local))), (0) socket (10.61.246.252)
17-12-28T04:08:36.471750+00:00 err vmdird t@140310692730624: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
17-12-28T04:08:36.472451+00:00 err vmdird t@140310692730624: VmDirSendLdapResult: Request (Bind), Error (49), Message ((49)(SASL step failed.)), (0) socket (10.61.246.252)
17-12-28T04:08:36.472695+00:00 err vmdird t@140310692730624: Bind Request Failed (10.61.246.252) error 49: Protocol version: 3, Bind DN:
dc=vsphere,dc=local", Method: SASL
This is telling us a few things, we are attempting to add an account entry for vcenter, but it already exists in the vmdir database when it shouldn't if this is a brand new deployment. We are failing to authenticate because the password being presented for this account is different, so we cannot fully bind to the PSC to complete the installation.
Is this the first time this vCenter has been attempted to be joined to these PSCs or have there been attempts in the past, either to the vip or to the individual PSCs, with varying success?