VMware Cloud Community
EcoBassam
Enthusiast
Enthusiast

AD initial sync fails with error "Failed to complete dryrun."

Hello,

I am setting up a Lab and I am at the step of connecting AD to vRA, but I got stuck on the following error "Failed to complete dryrun."

pastedImage_1.png

Looking at the connector.log file, it seems the connector is able to connect to the AD and retrieves some accounts but when it tries to store it in vRA, a java stack error is thrown with error message :

2018-07-28 12:35:28,532 ERROR (tomcat-http--26) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.dirsync.SyncController - Sync aborted.

com.vmware.horizon.client.rest.Exception.ApiException: User is not authorized.

Any idea which authorization I need to add for this to work ?

On AD side I am using the default high privileged administrator account to do the sync, and on vRA side I am using the default configurationadmin account.

Thanks for your help.

Full connector.log section about the sync operation is joined.

Regards,

15 Replies
daphnissov
Immortal
Immortal

Ok, these are fun. Can you please show screenshots detailing your directory config?

Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

Here it is :

pastedImage_0.png

pastedImage_1.png

pastedImage_2.png

pastedImage_3.png

pastedImage_4.png

pastedImage_5.png

pastedImage_6.png

pastedImage_7.png

pastedImage_8.png

pastedImage_9.png

pastedImage_10.png

pastedImage_11.png

     pastedImage_12.png

Let me know if you need any further details, thanks for your help Smiley Wink

Reply
0 Kudos
sk84
Expert
Expert

What role in vRA does your "configurationadmin" have? The role "Tenant administrator" is required for AD/LDAP integration. See: Tenant Roles and Responsibilities in vRealize Automation

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

It has already that role :s

pastedImage_0.png

Reply
0 Kudos
sk84
Expert
Expert

I think the LDAP bind is successful because vRA sees 20 of 20 groups. So, I don't think it's a connection or binding problem.

Please try the following:

- Remove the first entry in the user DNs synchronization (DC=vmmark,DC=local)

- Enable the checkbox "Ignore safeguards" for the synchronization

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

I removed the first entry in the users DN as suggested but I got the same result.

Regarding the second point, I don't find the "ignore safeguards" checkbox, can you guide me to find it, please ?

Reply
0 Kudos
sk84
Expert
Expert

Oh, I just saw that this option is only displayed if the limits are exceeded. And that's a little weird. It should warn if you add more than 5% of users (see your Safeguard settings). And since you haven't added any users yet, it should display a warning for the initial sync in any case.

What happens if you deactivate the checkbox "Select all" in the Group DN settings and select your user groups manually (with the button "Select")?

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

I just tried by adding only one group (containing users).

I tried also removing all safeguards.

None of the above made any difference :smileycry:

Reply
0 Kudos
sk84
Expert
Expert

Unfortunately, I have no further ideas. I'm sorry. The only thing I can imagine is that the bind user in Active Directory doesn't have permission to search the entire AD.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

The AD user is a domain admin, so there should be no issue to serach the entire directory, nevertheless, I tried also with an other user but still got the same error.

Thank you Sebastian for the time you have taken to provide all these ideas, much appreciated Smiley Happy

daphnissov
Immortal
Immortal

Ok, so looks like you've got a 3-node front-end environment. Are these now behind an LB? Could you please show your IDP configuration? Also, I noticed you removed the built-in provider as well. Was that intentional?

Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

The 3 nodes are behind a loadbalancer with only one VIP/pool for port 443.

Here is the config of the iDP :

pastedImage_0.png

pastedImage_1.png

Regarding the built-in provider, unless I missed something, it seems it is still there to me :smileyconfused:

Reply
0 Kudos
daphnissov
Immortal
Immortal

A couple of things:

  1. Check the box in your directory configuration that this DNS supports service location. It usually does and this can be the difference.
  2. Your IdP hostname is incorrect. If you have a load-balanced front-end, the IdP hostname becomes the name of the VIP or else redirections for authentication will fail.
  3. Re-add the built-in provider to your WorkspaceIDP_1 in the directory configuration.

Make these changes and try again.

Reply
0 Kudos
EcoBassam
Enthusiast
Enthusiast

  1. Check the box in your directory configuration that this DNS supports service location. It usually does and this can be the difference.

My AD does not support service location, it is a basic DC setup for the lab. I did the test with the box checked (which removes the possibility to type the host name of the DC) and could not connect to AD.

2. Your IdP hostname is incorrect. If you have a load-balanced front-end, the IdP hostname becomes the name of the VIP or else redirections for authentication will fail.

Agreed, but I am not yet at the authentication phase. Sync is done by the specified node which is in my case dvvmmvra01. (did the suggested correction though, thanks Smiley Happy )

3. Re-add the built-in provider to your WorkspaceIDP_1 in the directory configuration.

I am not sure how to do that : add a provider to a provider ?

Another issue I am running into and it may have a common root cause, is that I am unable to create new tenants, could both be related ?

pastedImage_14.png

It times out after around 150 seconds.

pastedImage_15.png

Reply
0 Kudos
daphnissov
Immortal
Immortal

7.3.1, which is what you appear to be running, has a whole host of issues and, in fact, GSS doesn't even recommend customers install this and instead skip over to 7.4. That's what I'd recommend for you right now, honestly. But as far as the tenant goes, try using a lower-case letter in the URL. Regardless, 7.3.1 is really not a good release and it may be worth just scrapping and moving forward to 7.4. At least then you get custom forms and several other nice-to-haves.

Reply
0 Kudos