Hello,
I am setting up a Lab and I am at the step of connecting AD to vRA, but I got stuck on the following error "Failed to complete dryrun."
Looking at the connector.log file, it seems the connector is able to connect to the AD and retrieves some accounts but when it tries to store it in vRA, a java stack error is thrown with error message :
2018-07-28 12:35:28,532 ERROR (tomcat-http--26) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.dirsync.SyncController - Sync aborted.
com.vmware.horizon.client.rest.Exception.ApiException: User is not authorized.
Any idea which authorization I need to add for this to work ?
On AD side I am using the default high privileged administrator account to do the sync, and on vRA side I am using the default configurationadmin account.
Thanks for your help.
Full connector.log section about the sync operation is joined.
Regards,
Ok, these are fun. Can you please show screenshots detailing your directory config?
Here it is :
Let me know if you need any further details, thanks for your help
What role in vRA does your "configurationadmin" have? The role "Tenant administrator" is required for AD/LDAP integration. See: Tenant Roles and Responsibilities in vRealize Automation
It has already that role :s
I think the LDAP bind is successful because vRA sees 20 of 20 groups. So, I don't think it's a connection or binding problem.
Please try the following:
- Remove the first entry in the user DNs synchronization (DC=vmmark,DC=local)
- Enable the checkbox "Ignore safeguards" for the synchronization
I removed the first entry in the users DN as suggested but I got the same result.
Regarding the second point, I don't find the "ignore safeguards" checkbox, can you guide me to find it, please ?
Oh, I just saw that this option is only displayed if the limits are exceeded. And that's a little weird. It should warn if you add more than 5% of users (see your Safeguard settings). And since you haven't added any users yet, it should display a warning for the initial sync in any case.
What happens if you deactivate the checkbox "Select all" in the Group DN settings and select your user groups manually (with the button "Select")?
I just tried by adding only one group (containing users).
I tried also removing all safeguards.
None of the above made any difference :smileycry:
Unfortunately, I have no further ideas. I'm sorry. The only thing I can imagine is that the bind user in Active Directory doesn't have permission to search the entire AD.
The AD user is a domain admin, so there should be no issue to serach the entire directory, nevertheless, I tried also with an other user but still got the same error.
Thank you Sebastian for the time you have taken to provide all these ideas, much appreciated
Ok, so looks like you've got a 3-node front-end environment. Are these now behind an LB? Could you please show your IDP configuration? Also, I noticed you removed the built-in provider as well. Was that intentional?
The 3 nodes are behind a loadbalancer with only one VIP/pool for port 443.
Here is the config of the iDP :
Regarding the built-in provider, unless I missed something, it seems it is still there to me :smileyconfused:
A couple of things:
Make these changes and try again.
Check the box in your directory configuration that this DNS supports service location. It usually does and this can be the difference.
My AD does not support service location, it is a basic DC setup for the lab. I did the test with the box checked (which removes the possibility to type the host name of the DC) and could not connect to AD.
2. Your IdP hostname is incorrect. If you have a load-balanced front-end, the IdP hostname becomes the name of the VIP or else redirections for authentication will fail.
Agreed, but I am not yet at the authentication phase. Sync is done by the specified node which is in my case dvvmmvra01. (did the suggested correction though, thanks )
3. Re-add the built-in provider to your WorkspaceIDP_1 in the directory configuration.
I am not sure how to do that : add a provider to a provider ?
Another issue I am running into and it may have a common root cause, is that I am unable to create new tenants, could both be related ?
It times out after around 150 seconds.
7.3.1, which is what you appear to be running, has a whole host of issues and, in fact, GSS doesn't even recommend customers install this and instead skip over to 7.4. That's what I'd recommend for you right now, honestly. But as far as the tenant goes, try using a lower-case letter in the URL. Regardless, 7.3.1 is really not a good release and it may be worth just scrapping and moving forward to 7.4. At least then you get custom forms and several other nice-to-haves.