VMware Cloud Community
setyo19
Contributor
Contributor
Jump to solution

can't login vcenter from web

hi dear,

i have a problem, before i change clock tolerance parameter in token policy and than i have error, i can't login vcenter from web but i can login from vsphere client.

i use vcenter 6.0U2

i screenshot the error

Selection_999(1998).png

Reply
0 Kudos
1 Solution

Accepted Solutions
kenbshinn
Enthusiast
Enthusiast
Jump to solution

So it looks like your issue is with the SSO function of the PSC. I found this article on virtually ghetto that explains how to do it via command line:

https://www.virtuallyghetto.com/2015/06/vcenter-server-6-0-tidbits-part-10-automating-sso-admin-conf...

According to the article you will need to connect to your PSC, using SSH. You can use the following command to view your current setting:

/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

Here is a list of the Attributes that you would need, I think the Clock Tolerance UI Setting is what you are going to need.

UI SettingLDAP Attribute Name
Clock tolerancevmwSTSClockTolerance
Maximum token renewal countvmwSTSRenewCount
Maximum token delegation countvmwSTSDelegationCount
Maximum bearer token lifetimevmwSTSMaxBearerTokenLifetime
Maximum holder-of-key token lifetimevmwSTSMaxHolderOfKeyTokenLifetime

Here is an excerpt from his Blog on how to replace /update the value that you changed and that should allow you to get it working.

Now that we know how to query for a particular SSO Configuration, here is how you can modify one of these properties. In the example below, we will be changing the life time of a password which dictates the frequency in which you need to change an SSO user's password. Using the "Password Policies" table above, we can see the that property name is called vmwPasswordLifetimeDays

To modify an LDAP entry, we will need to first create a file that contains the change, in the example here we are going to name it change.ldif and it should contain the following where the "replace" keyword shows which property is getting modified and the next line after shows the value that it will be changed to.

dn: cn=password and lockout policy,dc=vghetto,dc=local
changetype: modify
replace: vmwPasswordLifetimeDays
vmwPasswordLifetimeDays: 30

To apply the change, we will now run the following ldapmodify command and specifying our change.ldif configuration file:

/opt/likewise/bin/ldapmodify -f change.ldif -h 192.168.1.70 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

automate-sso-configuration-5
If the change was successful, you can confirm by either querying the property again using the ldapquery command or just refreshing the SSO Configurations using the vSphere Web Client.

Let me know if this helps, I am hoping it does.

View solution in original post

Reply
0 Kudos
6 Replies
kenbshinn
Enthusiast
Enthusiast
Jump to solution

So normally I would ask if you are using the correct username and password. But you said it worked with the C# Client so we can assume that you are good there.

Are you still able to log into the C# Client? If so, can you undo your change and see if that resolves your issue?

Reply
0 Kudos
setyo19
Contributor
Contributor
Jump to solution

Hi kenbshinn​,

can you tell me for undo the change from vsphere client?

because edit parameter for token policy only in vsphere web client

thanks ..

Reply
0 Kudos
kenbshinn
Enthusiast
Enthusiast
Jump to solution

Is this a Windows vCenter Server or a VCSA Appliance? It does not look like you can change it with the C# Client, but you can do it using command line.

Reply
0 Kudos
setyo19
Contributor
Contributor
Jump to solution

hi kenbshinn

i use VCSA Appliance and PSC external.

can u guide me or give me tutorial for change this from CLI

thanks

Reply
0 Kudos
kenbshinn
Enthusiast
Enthusiast
Jump to solution

So it looks like your issue is with the SSO function of the PSC. I found this article on virtually ghetto that explains how to do it via command line:

https://www.virtuallyghetto.com/2015/06/vcenter-server-6-0-tidbits-part-10-automating-sso-admin-conf...

According to the article you will need to connect to your PSC, using SSH. You can use the following command to view your current setting:

/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"

Here is a list of the Attributes that you would need, I think the Clock Tolerance UI Setting is what you are going to need.

UI SettingLDAP Attribute Name
Clock tolerancevmwSTSClockTolerance
Maximum token renewal countvmwSTSRenewCount
Maximum token delegation countvmwSTSDelegationCount
Maximum bearer token lifetimevmwSTSMaxBearerTokenLifetime
Maximum holder-of-key token lifetimevmwSTSMaxHolderOfKeyTokenLifetime

Here is an excerpt from his Blog on how to replace /update the value that you changed and that should allow you to get it working.

Now that we know how to query for a particular SSO Configuration, here is how you can modify one of these properties. In the example below, we will be changing the life time of a password which dictates the frequency in which you need to change an SSO user's password. Using the "Password Policies" table above, we can see the that property name is called vmwPasswordLifetimeDays

To modify an LDAP entry, we will need to first create a file that contains the change, in the example here we are going to name it change.ldif and it should contain the following where the "replace" keyword shows which property is getting modified and the next line after shows the value that it will be changed to.

dn: cn=password and lockout policy,dc=vghetto,dc=local
changetype: modify
replace: vmwPasswordLifetimeDays
vmwPasswordLifetimeDays: 30

To apply the change, we will now run the following ldapmodify command and specifying our change.ldif configuration file:

/opt/likewise/bin/ldapmodify -f change.ldif -h 192.168.1.70 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'

automate-sso-configuration-5
If the change was successful, you can confirm by either querying the property again using the ldapquery command or just refreshing the SSO Configurations using the vSphere Web Client.

Let me know if this helps, I am hoping it does.

Reply
0 Kudos
setyo19
Contributor
Contributor
Jump to solution

hi kenbshinn​,

my issue solved ..

many thanks for your help kenbshinn, you saved my life.

Reply
0 Kudos