Expert
Expert

VCAC 61: Login Fail with error "Login failed. Please contact your System Administrator and report error code mv2km0hv."

Hello,

I had installed vCAC 6.1 fresh with IAAS & MSSQL on single server and two VMs with Identity Appliance.

I am getting error "Login failed. Please contact your System Administrator and report error code mv2km0hv." while i am trying to logon to the VCAC portal using AD credentials however login to Default Tenant using administrator@vsphere.local works fine.

I am observing different strange behaviors before getting this error.

1- Browser Crashes several time and i had to wait for it recover on it`s own.

2- takes hell lot of time before even starting logon process.

I check Vmware-identity-sts.log file which does not give me any error which tell me what's going on. the Log entry which get last is "Authentication Succeeded for user [username@domain.local] in tenant [demo] in [127] milliseconds.

i am not sure where are these error codes are documented for administrators as well to check and perform remediation actions.

I need your help in fixing this issue.

Thanks in advance,

Br,

MG

Regards, MG
Tags (2)
0 Kudos
25 Replies
Expert
Expert

getting below errors in Cataina.out logs

2014-09-12 13:52:06,277 vcac: [component="cafe:shell" priority="ERROR" thread="tomcat-http--51" tenant="vsphere.local"] com.vmware.vcac.authentication.sts.SamlTokenService.acquireActAsToken:99 - Cannot exchange bearer for ActAs tokens. See SSO logs for more details

com.vmware.vim.sso.client.exception.InvalidTimingException: Token expiration date: Fri Sep 12 13:51:22 EDT 2014 is in the past.

this is logged right after user hit login button on vCAC portal

Any thoughts?

Br,

MG

Regards, MG
0 Kudos
VMware Employee
VMware Employee

Hi MG,

Can you check that all the services are running on vCAC appliance? even I am facing this problem. In my case, shell-ui-app service is failed.

Thanks,

kalyan

0 Kudos
Leadership
Leadership

I am having the same shell-ui-app issue and it appears to also effect the messaging or rabbitmq  I just got a message from support that this seems to be a known issue and I am looking to see who found a work around.  My lab environment upgraded with out issue but my distributed environment did not.  Started to rebuild and can not get past this issue to move forward

Steve Beaver VMware Communities User Moderator VMware vExpert 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 ==== Co-Author of "VMware ESX Essentials in the Virtual Data Center" (ISBN:1420070274) from Auerbach Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/] Come follow me on twitter http://www.twitter.com/sbeaver **The Cloud is a journey, not a project.**
0 Kudos
Expert
Expert

This is surprising as i do not see any of the service failure. i did twice rebuilded my environment but encountered same issue. login using administrator@vsphere.local is quick but using identity store authentication, webpage times out and eventually token get expired and could not login.

Please also let us know here if you any work around from Support regarding this.

Br,

MG

Regards, MG
0 Kudos
Contributor
Contributor

Having the same issue with a clean install of 6.1, any assistance or guidance would be appreciated.

0 Kudos
VMware Employee
VMware Employee

Hi All,

In my case, the problem was with SSL certificates. My problem is fixed after applying correct SSL certificates.

Thanks,

Kalyan

0 Kudos
Leadership
Leadership

What exactly was wrong with your certificates?  I have tried with the certs I was using with the 6.0 version and I also tried recreating the PEM files

RSA Private Key

openssl pkcs12 -in path _to_.pfx certificate_file-nocerts -out key.pem

RSA Private Key

PEM File

openssl pkcs12 -in path _to_.pfx certificate_file-clcerts -nokeys -out cert.pem

Certificate Chain

With both cases I still am unable to logon to the default tenant

Steve Beaver VMware Communities User Moderator VMware vExpert 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 ==== Co-Author of "VMware ESX Essentials in the Virtual Data Center" (ISBN:1420070274) from Auerbach Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/] Come follow me on twitter http://www.twitter.com/sbeaver **The Cloud is a journey, not a project.**
0 Kudos
VMware Employee
VMware Employee

Hi Sbeaver,

Fallow below link to generate new certs and try.

http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appli...

Thanks,

Kalyan

0 Kudos
Leadership
Leadership

I just about have no more hair that I can pull out.  I redid all the certificates following the link above and now I am back to where the shell-ui-app failed and still unable to login to the default tenant.  catalina.out has this  .CertificateException: Untrusted certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

I just dont get it

Steve Beaver VMware Communities User Moderator VMware vExpert 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 ==== Co-Author of "VMware ESX Essentials in the Virtual Data Center" (ISBN:1420070274) from Auerbach Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/] Come follow me on twitter http://www.twitter.com/sbeaver **The Cloud is a journey, not a project.**
0 Kudos
Leadership
Leadership

ok I finally got somewhere with this and let me share what I found.  In today's attempt I followed the steps in this link - http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appli...  to create the certificate PEM files.  I did this for both the identity and cafe appliances.  Once it was changed on both, the cafe appliance finished it's startup and I found the shell-ui-app failed.  For the next step I started with the cafe appliance certificate and tried this method

RSA Private Key

openssl pkcs12 -in path _to_.pfx certificate_file-nocerts -out key.pem

RSA Private Key

PEM File

openssl pkcs12 -in path _to_.pfx certificate_file-clcerts -nokeys -out cert.pem

Certificate Chain

(Optional) Pass Phrase

n/a

Pass Phrase

When I used the output from this step for the cage all the services started and I was able to login to the default tenant as expected.

So to recap, for the identity appliance, I followed the steps in the link above and for the cafe appliance I used the RSA Private Key and PEM file commands which got me to where I need to be. 

Steve Beaver VMware Communities User Moderator VMware vExpert 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 ==== Co-Author of "VMware ESX Essentials in the Virtual Data Center" (ISBN:1420070274) from Auerbach Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/] Come follow me on twitter http://www.twitter.com/sbeaver **The Cloud is a journey, not a project.**
0 Kudos
Enthusiast
Enthusiast

I'm seeing the original issue described above as well, causing extremely long login times. Started after the upgrade. Using self-signed certs. Anyone else have a case and make any progress?

0 Kudos
Expert
Expert

What i could observe that this behavior is associated with prolonged login time and failing eventually caused due to certificates are untrusted although these certs are self-signed.

For me i do not have Certificate authority to request for cert so i stick back with Appliance generated cert which getting untrusted among each other.

looking at cafe appliance Catalina.out logs, found that Identity appliance is not trusting cert generated by cafe appliance and giving error 

2014-09-16 13:20:11,242 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--80" tenant="vsphere.local"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:41 - Untrusted certificate chain:

2014-09-16 13:20:11,243 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--80" tenant="vsphere.local"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [17059406846584595952] and thumbprint: [23:ED:35:EF:8E:3F:79:1B:0F:AE:50:06:C4:BA:5F:46:ED:5A:61:A5]

Br,

MG

Regards, MG
0 Kudos
Contributor
Contributor

I'm was seeing the same thing but I was able to proceed by doing a refresh in the browser. I would still receive the error from time to time as I browsed through the interface. I found that the vCAC core appliances were running on the same host in my lab and the time was off by 2 minutes from the SSO appliance that ran on another host with accurate time.  I synced the time on the vCAC core appliances (sntp -R no -p time.vmware.local) and the issue went away.  Since this was just in my lab and it wasn't an urgent issue, I didn't dig through the logs so I don't know if my logs matches yours. 

0 Kudos
Expert
Expert

this worked for me now..it seems like to me issue with Identity Appliance coz i had integrated vCAC appliance with vSphere SSO 5.5u1c coupled with vCenter Server. This made me login to the vCAC with my Active Directory credentials and i am no more seeing certificate mismatch error.

Only error logged into catalina.out log file is that while i am performing look-up for usernames to be granted different privileges in vCAC via SSO,

vcac: [component="cafe:identity" priority="INFO" thread="tomcat-http--36" tenant="vsphere.local"] com.vmware.vcac.authentication.service.sso.impl.PrincipalManagementImpl.findPersonUsers:79 - Can't call findPersonUsersByName, reason class[class com.vmware.vim.sso.admin.exception.InternalError], fall back to findPersonUsers

com.vmware.vim.sso.admin.exception.InternalError: General failure.

        at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:195)

        at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:232)

        at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:209)

        at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalDiscoveryImpl.findPersonUsersByName(PrincipalDiscoveryImpl.java:289)

        at com.vmware.vcac.authentication.service.sso.impl.PrincipalManagementImpl.findPersonUsers(PrincipalManagementImpl.java:77)

        at com.vmware.vcac.authentication.service.sso.impl.PrincipalManagementImpl.findUsers(PrincipalManagementImpl.java:66)

        at sun.reflect.GeneratedMethodAccessor495.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)

        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:201)

        at com.sun.proxy.$Proxy170.findUsers(Unknown Source)

        at com.vmware.vcac.authentication.service.impl.PrincipalManagementServiceImpl.findUserInDomain(PrincipalManagementServiceImpl.java:178)

        at com.vmware.vcac.authentication.service.impl.PrincipalManagementServiceImpl.findUsers(PrincipalManagementServiceImpl.java:129)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)

        at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:98)

        at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:262)

        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:95)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)

        at com.sun.proxy.$Proxy228.findUsers(Unknown Source)

        at com.vmware.vcac.authentication.controller.PrincipalManagementController.findUsers(PrincipalManagementController.java:141)

        at com.vmware.vcac.authentication.controller.PrincipalManagementController$$FastClassBySpringCGLIB$$a2ee6fff.invoke(<generated>)

        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)

        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:711)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)

        at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:644)

        at com.vmware.vcac.authentication.controller.PrincipalManagementController$$EnhancerBySpringCGLIB$$5b01fa7a.findUsers(<generated>)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)

        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at com.vmware.vcac.authentication.http.spring.BaseTokenAuthenticationFilter.doFilter(BaseTokenAuthenticationFilter.java:45)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at com.vmware.vcac.authentication.http.spring.BaseTokenAuthenticationFilter.doFilter(BaseTokenAuthenticationFilter.java:70)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at com.vmware.vcac.authentication.http.tenancy.TenancyContextFilter.doFilterWithTenancyContext(TenancyContextFilter.java:67)

        at com.vmware.vcac.authentication.http.tenancy.TenancyContextFilter.doFilter(TenancyContextFilter.java:54)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:745)

Caused by: com.vmware.vim.binding.vmodl.fault.InvalidRequest:

inherited from com.vmware.vim.binding.vmodl.fault.InvalidRequest: Invalid managed method 'FindPersonUsersByName' requested for Managed Object Type 'SsoAdminPrincipalDiscoveryService' version 'sso/version2'

        at sun.reflect.GeneratedConstructorAccessor920.newInstance(Unknown Source)

        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)

        at java.lang.Class.newInstance(Class.java:374)

        at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newInstance(ComplexTypeImpl.java:171)

        at com.vmware.vim.vmomi.core.types.impl.DefaultDataObjectFactory.newDataObject(DefaultDataObjectFactory.java:26)

        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.ComplexStackContext.<init>(ComplexStackContext.java:33)

        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.parse(UnmarshallerImpl.java:135)

        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.unmarshall(UnmarshallerImpl.java:98)

        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:84)

        at com.vmware.vim.vmomi.client.common.impl.SoapFaultStackContext.setValue(SoapFaultStackContext.java:37)

        at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.unmarshal(ResponseUnmarshaller.java:97)

        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.unmarshalResponse(ResponseImpl.java:245)

        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setResponse(ResponseImpl.java:203)

        at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:126)

        at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:98)

        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:533)

        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:514)

        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:302)

        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:272)

        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:169)

        at com.sun.proxy.$Proxy312.findPersonUsersByName(Unknown Source)

        at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalDiscoveryImpl$14.actionCommand(PrincipalDiscoveryImpl.java:295)

        at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalDiscoveryImpl$14.actionCommand(PrincipalDiscoveryImpl.java:289)

        at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:95)

        ... 100 more

i checked Release notes for any difference in SSO for vCAC and SSO for vCenter but could not notice significant difference which could tell me difference in versions of SSO being used.

i am however able to fetch user profile despite of these errors.

Br,

MG

Regards, MG
0 Kudos
Contributor
Contributor

Just want to report that the issue for my environment was having the appliances and the IaaS server out of sync. Setting the servers to a sync to a NTP time server has resolved the issue for me.

0 Kudos
Contributor
Contributor

I had this error when upgrading from 6.0 to 6.1.  After bouncing around on this issue I found that during my upgrade i followed the steps to disable vco-server in the vmware documentation.  After a "chkconfig vco-server on" and a reboot, I no longer get the login failed error.

vCloud Automation Center Documentation Center

0 Kudos
Enthusiast
Enthusiast

I have run into this in my lab and its due to the time offset between the various components.  Make sure all ESXi hosts and appliances are using a valid NTP host, if using Windows as your NTP source see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=103583...

The Windows bits at the top are rather important, though if you don't want to mess with your DCs (likely what is running NTP) setup a dedicated linux server to do so.  Also you can SSH to your appliances and run date to ensure the time is correct and in sync with your SSO server - Windows VC or VCSA for example and your NTP server.  Even a small offset of under a minute it seems can break the ability to log in.

You can attempt to force the vCAC appliance to sync its time using sntp –P no –r 192.168.1.10

0 Kudos
Enthusiast
Enthusiast

Having the same problem with a fresh install of 6.1. Have tried SBeavers certificate shenanigans but can't get the ID appliance to accept a concatenated pem chain, my certs have 3 layers though (host, SubCA, CA) so wondering if that's causing a problem . Have also tried targeting the GC in AD on port 3268 rather than straight ldap on 389. and have confirmed time is synced across the appliances. have to be missing something in this .....

0 Kudos
Enthusiast
Enthusiast

Pointed towards this from GSS:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=209080...

Haven't tried it yet, will do so later, but just in case anyone else still having this problem ....