Re: VMCA 7.0 vSphere Authentication Proxy Fail

JimbroSlice · ‎09-13-2020

Hello All,

Recently deployed a fresh install of the latest VMCA, version 7.0.0-16749653 to be exact and I've been fighting to get the authentication proxy to join a host to an active directory domain far too long. I'm nearly out of options and pretty close to giving up, so if anyone could lend me a hand I would greatly appreciate it. I'm currently using what is considered the hybrid option regarding certificates and have only replaced the VMCA Machine SSL and included my enterprise root and sub CA, the 1 host I'm currently testing with is using certificates signed by vmca. I will start by listing the tasks I've completed to get the auth proxy setup to prepare for AD joins.

From appliance management, I went to Services >> Selected 'VMware vSphere Authentication Proxy' service and manually started
I then enabled SSH Access on the VMCA and logged in >> enable client auth using the command '/usr/lib/vmware-vmcam/bin/camconfig ssl-cliAuth -e'
Next, added domain and service account to VMCA using the following command '/usr/lib/vmware-vmcam/bin/camconfig add-domain -d corp.domain.com -u svc_vmware' and entered password when prompted
I then followed the vsphere 7.0 security guide for generating a new certificate for vsphere auth proxy (https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-70-security-guide.pdf pg 106)
I uploaded the newly generated rui.crt to the datastore of the host I was intending on joining
I then changed the 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' advanced system setting on the host I was intending on joining to match the AD group I created for Admins
Finally, I imported the previously mention rui.crt under the host's 'Authentication Services' tab using the 'Import Certificate' button and pointed it to the directory I uploaded it on the datastore using '[datastore]/vmcam/rui.crt' and filled in the ip address of the vmca auth proxy service
I forgot to mention, I ran into an issue due to our domain's hardening that was solved by forcing vmca to only send auth requests to ad using ntlmv2
So, I used the following settings for the join domain attempt domain: corp.domain.com/domain/sites/chi3/servers and with 'using proxy server' selected the ip address of the vmca auth proxy service

Just to note, the Active Directory service account I created as a user for the join was given delegate control using the following the steps outline in the microsoft kb https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-...

I have also tried making different adjustments using the camconfig and camregister scripts, but receive the same results. Here is the current output for 'camconfig status':

Default Domain Name: corp.domain.com

Default Domain User: svc_vmware

vCenter Server Address: 172.31.2.60

vCenter Server User: Administrator@vsphere.local

vCenter Server Port: 80

SSL Settings:

Certificate File: /var/lib/vmware/vmcam/ssl/certs/rui.crt

Private Key File: /var/lib/vmware/vmcam/ssl/certs/rui.key

Client Authentication: Enabled.

Success.

I receive the following errors

VMCA Tasks 'The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service.'

VMCA /var/log/vmware/vmcamd/vmcamd-syslog.log:

2020-09-13T18:36:36.645515-05:00 info vmcamd t@140698414208768: Creating machine account for Host 'host1.corp.domain.com', OU 'domain/Sites/chi3/servers'

2020-09-13T18:36:36.978725-05:00 info vmcamd t@140698414208768: VmCamLdapMoveAccFromDomainBaseDn failed. (50)(Insufficient access)

2020-09-13T18:36:36.978903-05:00 notice vmcamd t@140698414208768: [../../../server/vmcam/api.c,742]

2020-09-13T18:36:36.978996-05:00 info vmcamd t@140698414208768: VmCamSrvCreateMachineAccount failed. (50)

2020-09-13T18:36:36.979082-05:00 notice vmcamd t@140698414208768: [../../../server/vmcam/httpserv.c,231]

2020-09-13T18:36:36.979133-05:00 info vmcamd t@140698414208768: VmCam HTTPS request Handler failed with 50

From the same log file, not sure if this is relevant to the issue, but I also see the following error upon restarting the vmcam service

2020-09-13T16:41:59.227138-05:00 info vmcamd t@140698934294272: Exceptions in CAMAdapterMainLoop: Crypto Exception: error:02001002:system library:fopen:No such file or directory: unable to load BIO

I've also tried joining the machine without specifying the location of the OU and receive the following from vmcamd-syslog.log

2020-09-13T18:43:21.933127-05:00 info vmcamd: Creating machine account for Host 'host1.corp.domain.com'', OU ''

2020-09-13T18:43:22.283499-05:00 notice vmcamd: [../../../server/vmcam/api.c,810]

2020-09-13T18:43:22.283650-05:00 info vmcamd: VmCamSrvCreateMachineAccount failed. (5)

2020-09-13T18:43:22.283954-05:00 notice vmcamd: [../../../server/vmcam/httpserv.c,231]

2020-09-13T18:43:22.284037-05:00 info vmcamd: VmCam HTTPS request Handler failed with 5

VMCA /var/log/vmware/vpxd/vpxd.log:

2020-09-13T18:43:21.892-05:00 info vpxd[53087] [Originator@6876 sub=vpxLro opID=kauto] [VpxLRO] -- BEGIN task-3066 -- activeDirectoryAuthentication-1021 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM --

2020-09-13T18:43:22.296-05:00 info vpxd[53087] [Originator@6876 sub=vpxLro opID=kf178jvj-6875-auto-5b0-h5:70003448-64] [VpxLRO] -- FINISH task-3066

2020-09-13T18:43:22.296-05:00 info vpxd[53087] [Originator@6876 sub=Default opID=kf178jvj-6875-auto-5b0-h5:70003448-64] [VpxLRO] -- ERROR task-3066 -- activeDirectoryAuthentication-1021 -- vim.host.ActiveDirectoryAuthentication.joinDomainWithCAM: vim.fault.CAMServerRefusedConnection:

--> Result:

--> (vim.fault.CAMServerRefusedConnection) {

--> faultCause = (vmodl.MethodFault) null,

--> faultMessage = <unset>,

--> errorCode = 1225,

--> camServer = "172.31.2.60"

--> msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."

--> }

--> Args:

-->

--> Arg domainName:

--> "corp.domain.com"

--> Arg camServer:

--> "172.31.2.60"

I apologize for the long-winded post, but I figured I would receive better responses if I provided in-depth detail. Anyways, any and all insight thoughts, suggestions, and options welcome and appreciated, as I would love to move past this as soon as possible.

Thanks in Advance,

James

scott28tt · ‎09-13-2020

Moderator: Please do not create multiple threads on the same topic.

As this thread is in the correct area, the other you created in the wrong area has been archived.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

JimbroSlice · ‎09-14-2020

Sorry, rookie mistake! I realized after I posted that there was a more appropriate place for it.

JimbroSlice · ‎09-16-2020

Man, I thought someone would be able to help or at least say something

jburen · ‎12-04-2020

I recently tried this in my lab environment. The steps you took look ok but I think there is an issue with the Authentication Proxy service. Maybe it looks like it is started but I think it is not. So first you must try to fix the service.

That would also explain the error you're receiving: msg = "The specified vSphere Authentication Proxy server is not reachable, or has denied access to the service."

Consider giving Kudos if you think my response helped you in any way.