vmware-stsd service will not start Duplicate Error

Lex_Frost · ‎06-03-2021

I upgraded a vcenter appliance to 7.0.2.0200 and now the vmware-stsd service will not fully start. I have tried recreating the cert and the fixsts.sh tool but neither fix it...

The only error I can see is in the /var/log/vmware/sso/vmware-identity-sts.log which basically says " Internal error : duplicate entries were found"

Has anyone seen this or know how to fix it... the problem also happens if I restore from backup on a new appliance.

Thank you!

----------------------------------

2021-06-04T02:16:04.572Z ERROR sts[52:tomcat-http--6] [CorId=a7a911b7-254c-492a-87dd-412b10816da0] [com.vmware.identity.sts.ws.StsServiceImpl] com.vmware.identity.saml.SystemException: com.vmware.identity.idm.IDMException: Internal error : duplicate entries were found
at com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor.getAttributes(IdmPrincipalAttributesExtractor.java:126)
at com.vmware.identity.saml.impl.TokenAuthorityImpl.getTokenAttributesAndIdentityAttribute(TokenAuthorityImpl.java:283)
at com.vmware.identity.saml.impl.TokenAuthorityImpl.createAssertion(TokenAuthorityImpl.java:234)
at com.vmware.identity.saml.impl.TokenAuthorityImpl.issueToken(TokenAuthorityImpl.java:183)
at com.vmware.identity.saml.impl.TokenAuthorityImplPerformanceDecorator$1.call(TokenAuthorityImplPerformanceDecorator.java:62)
at com.vmware.identity.saml.impl.TokenAuthorityImplPerformanceDecorator$1.call(TokenAuthorityImplPerformanceDecorator.java:59)
at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:54)
at com.vmware.identity.saml.impl.TokenAuthorityImplPerformanceDecorator.issueToken(TokenAuthorityImplPerformanceDecorator.java:59)
at com.vmware.identity.sts.impl.STSImpl.issueToken(STSImpl.java:416)
at com.vmware.identity.sts.impl.STSImpl.processIssueRequest(STSImpl.java:382)
at com.vmware.identity.sts.impl.STSImpl.issue(STSImpl.java:164)
at com.vmware.identity.sts.impl.MultiTenantSTSImpl.issue(MultiTenantSTSImpl.java:60)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:103)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator$2.call(MultiTenantSTSImplPerformanceDecorator.java:100)
at com.vmware.identity.performanceSupport.PerformanceDecorator.exec(PerformanceDecorator.java:54)
at com.vmware.identity.sts.impl.MultiTenantSTSImplPerformanceDecorator.issue(MultiTenantSTSImplPerformanceDecorator.java:100)
at com.vmware.identity.sts.ws.StsServiceImpl.issue(StsServiceImpl.java:170)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.xml.ws.api.server.InstanceResolver$1.invoke(InstanceResolver.java:250)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:150)
at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:261)
at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:213)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)
at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.tracing.TracingFilter.doFilter(TracingFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.identity.diagnostics.STSLogDiagnosticsFilter.doFilter(STSLogDiagnosticsFilter.java:85)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.vmware.identity.idm.IDMException: Internal error : duplicate entries were found
at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:170)
at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:10233)
at com.vmware.identity.idm.client.CasIdmClient.getAttributeValues(CasIdmClient.java:1419)
at com.vmware.identity.saml.idm.IdmPrincipalAttributesExtractor.getAttributes(IdmPrincipalAttributesExtractor.java:119)
... 65 more
Caused by: java.lang.IllegalStateException: Internal error : duplicate entries were found
at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.getAttributes(VMwareDirectoryProvider.java:2147)
at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:3880)
at com.vmware.identity.idm.server.IdentityManager.getAttributeValues(IdentityManager.java:10229)
... 67 more

2021-06-04T02:16:04.587Z INFO sts[52:tomcat-http--6] [CorId=a7a911b7-254c-492a-87dd-412b10816da0] [com.vmware.identity.sts.ws.SOAPFaultHandler] Returning a SOAP Fault with code: ns0:RequestFailed and description: Internal error : duplicate entries were found :: Internal error : duplicate entries were found
2021-06-04T02:16:09.734Z WARN sts[53:tomcat-http--7] [CorId=] [com.sun.xml.ws.transport.http.HttpAdapter] Received WS-I BP non-conformant Unquoted SoapAction HTTP header: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
2021-06-04T02:16:09.738Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security headers
2021-06-04T02:16:09.738Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.sts.ws.handlers.XMLSignatureValidator] Found signature _af702ddb-faa9-436b-a0fa-0748b3e40b4a
2021-06-04T02:16:09.747Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.sts.ws.SignatureValidator] Got signing certificate
2021-06-04T02:16:09.750Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.sts.ws.handlers.XMLSignatureValidator] Signature _af702ddb-faa9-436b-a0fa-0748b3e40b4a is valid
2021-06-04T02:16:09.752Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.sts.impl.STSImpl] Entering issue() token...
2021-06-04T02:16:09.765Z INFO sts[53:tomcat-http--7] [CorId=6434f116-fd94-4755-8ee5-fdf3fe20fe48] [com.vmware.identity.saml.impl.TokenLifetimeRemediator] There is a HoK confirmation certificate with end time: 2023-06-02T16:25:55.000+0000

--------------------------------------------------------

sergiomian76 · ‎09-07-2021

I have the same issue.

cjimhoff · ‎12-13-2021

Hey,

I'm having the same issue. Did you find a solution for this?

neutronscott0 · ‎09-23-2022

I wanted to simply change DNS settings used the VAMI network tab. It re-did all the certs and then this happened when trying to input my custom certs back. I think another admin had changed the PNID and then did an upgrade and then maybe my settings changed the PNID back. I believe that's unsupported.

But if you open Ldp.exe (or your favorite LDAP client) to your vCenter you can see and delete the duplicate domain controller

for me it was cn=<ip>,ou=Domain Controllers,dc=blah,dc=company,dc=com

All

vmware-stsd service will not start Duplicate Error