Re: VCSA 6 Joining AD breaks the VCSA

unsichtbare · ‎03-23-2015

Hi all,

I have followed the directions for joining VCSA 6 to AD to a "T", and noticed a couple strange things:

When I click OK following the "Join Active Directory" step, there is no indication of a task being completed. It just dumps me back at the same screen where I started, with no domain or OU listed
When I reboot the VCSA, after about 20 minutes I am able to attempt to log-on, but get this message:

A server error occurred.

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: null.

Check the vSphere Web Client server logs for details.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎03-23-2015

One other thing: the /etc/krb5.conf file contains valid information for the domain I am trying to join and the time on the VCSA is accurate

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎03-23-2015

I downloaded the log file bundle and found this:

2015-03-23T15:43:58.065145+00:00 vcsa-101 netlogond[4863]: 0x7f636a761700: Failed ldap search on 172.20.0.10 error=40290

That is the correct DC and it is pingable from the VCSA, and there is no firewall/Windows Firewall issue

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

unsichtbare · ‎03-24-2015

Rebooted the VCSA twice and now I can log-in!

I did one thing, but made no changes other than a last reboot. Here's what I did:

I ran the following commands:

hostname

hostname -s

cat /etc/hosts

/opt/vmware/share/vami/vami_config_net

hostname and hostname -s both echoed the shortname of my VCSA

cat /etc/hosts showed a correctly formatted hosts file with: IP FQDN shortname

/opt/vmware/share/vami/vami_config_net Option 3 showed a correct hostname

I don't know that there is an answer, but the issue is resolved.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/

DingoTaz · ‎04-18-2015

Hi, I'm getting the same issue exactly. What are the directions you followed i haven't found any?

The steps i've done:

* join the machine to AD (successful - appears in proper OU in AD)

* Admin/SSO/Config Added identity source (use machine account)

* Admin/SSO/Users+Groups/Groups/ click + to add user to specified group, select my AD domain name from list "cannot load the users for the selected domain"

Tried logging in with windows authentication got your error. Not that I expected it to work without adding anyone to a group.

Did you do anything else? Were you able to load users?

DingoTaz · ‎04-19-2015

Fixed my problem. For others out there using windows PKI, vmware does not support dhe-rsa which is the default since 2008r2 in windows pki. change your capolicy.inf to alternatesignatures=0 (to force v1 or 1.5 i forget PKCS #1 format). Then reissue all your CA certs, go to each domain controller and renew each certificate. URGH!! VMWARE!!! Its 2015!!! Why still you only support rsa and not dhe-rsa?

Alexnc · ‎08-17-2016

In my case that was an issue related to the date / time.

The SSO service was not starting and make 400 / 503 errors on the web interfaces.(vcenter 503 Service Unavailable (Failed to connect to endpoint)... and [400] An error occurred while processing the authentication response from the vCenter Single Sign-On server)

I had to correct the time zone int the admin interface (https on port 5480) and reboot.

All

VCSA 6 Joining AD breaks the VCSA