VMware Cloud Community
rupamc2016
Contributor
Contributor

Vrealize 7.0 integration with Active directory

Hi

I am doing a deployment of VRA 7.2

I have used windows 2012 R2 standard  as AD and Windows 2008 R2 for Iaas server

All the service in VRA and Iaas server are up and running  and i am able to login successfully

I face issue when i try to add the directory from Administration > directory  .

I am using the Active Directory ( Integrated Windows Authentication ) and logged in to tenant using Tenant Administrator

I know my domain admin is correct because same i used to add other computers to domain.

But in this case when i try to add the directory i am getting the error

"Could not join domain: Error occurred while joining domain. Verify Domain Admin username and password is correct, and the username is the sAMAccountName."

I know the credentials are correct and have the the required priveledge

pastedImage_2.png

pastedImage_0.png

Any specific AD config i need to do here

Reply
0 Kudos
18 Replies
mbcarnes79
Contributor
Contributor

I'm having the same problem.  If I choose Active Directory over LDAP I can authenticate with the same account, but I get this error when using Integrated Windows Authentication. 

Reply
0 Kudos
daphnissov
Immortal
Immortal

You'll have to post either a screenshot or list all the parameters you're trying to use for us to help you.

Reply
0 Kudos
mbcarnes79
Contributor
Contributor

My apologies. I had indicated that my error was the same, but I suppose it is helpful if I show what I've entered.  See below:

pastedImage_0.png

I'm also seeing the following errors in the connector.log:

2017-08-01 14:42:25,073 ERROR (tomcat-http--24) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.connector.rest.DomainRestController - Error occurred while joining domain.

com.vmware.horizon.connector.domain.DomainJoinException: Failed to join domain. Error Code: ERROR_GEN_FAILURE.

2017-08-01 14:46:24,767 ERROR (tomcat-http--14) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.connector.domain.DomainJoinServiceImpl - Failed to join domain.

com.vmware.horizon.common.utils.exceptions.CommandException: exitCode = 1, stdOut = Joining to AD Domain:  domain.COM

With Computer DNS Name: oma-ilesxv0003.domain.COM

svrealizeautomation@domain.COM's password:

Error: ERROR_GEN_FAILURE [code 0x0000001f]

Reply
0 Kudos
daphnissov
Immortal
Immortal

There are a couple things to check. First, and I'm assuming you're already doing this or else a different message would be displayed, you can only join the vRA front end appliance to AD from the master tenant. You have to be logged in as a tenant admin to do so. Second, make sure that in your AD there is no object for it already if you've pushed/pulled it multiple times. I don't know your vRA architecture, but the Sync Connector field should be one of your front ends. Check no firewalls are in the way. As stated, the user you're attempting with this must be a domain admin with join permissions. And also make sure the account name you're passing corresponds to the sAMAccountName attribute. If you have something different in there, it must match.

Reply
0 Kudos
mbcarnes79
Contributor
Contributor

Thanks for the reply daphnissov.  My responses:

1. First, and I'm assuming you're already doing this or else a different message would be displayed, you can only join the vRA front end appliance to AD from the master tenant. You have to be logged in as a tenant admin to do so.

- Yes, I'm logged into the vsphere.local tenant using the configurationadmin account that was initially created during setup.  I have also tried using a manually created account that was added to both Tenant Admins and IaaS Admins

2. Second, make sure that in your AD there is no object for it already if you've pushed/pulled it multiple times.

- It has not yet successfully been joined to AD, so there is no object.  We do have a static dns entry for name resolution.

3. I don't know your vRA architecture, but the Sync Connector field should be one of your front ends. Check no firewalls are in the way.

- I'm not sure I understand the statement about the Sync Connector.  Can you clarify this?  I have verified that there is no blocked traffic coming to/from the vRA appliance IP

4. As stated, the user you're attempting with this must be a domain admin with join permissions. And also make sure the account name you're passing corresponds to the sAMAccountName attribute

- I'm using a service account that is a member of Domain Admins.  I have logged in locally to the IaaS box with it to verify credentials.  Here's a screenshot of the account:

pastedImage_1.png

pastedImage_0.png

Reply
0 Kudos
daphnissov
Immortal
Immortal

More questions:

  1. What version of vRA?
  2. What is your vRA architecture? Is it minimal, distributed, or redundant distributed?
  3. Have you verified you can add AD as an LDAP source using those same credentials to verify the account has no connection issues?
  4. Do you have many trust relationships with other domains in your environment?
  5. Try the attempt again and post the resulting messages from /var/log/messages and /storage/log/vmware/horizon/horizon.log.
  6. Is SMBv1 disabled on your domain controller(s)?
Reply
0 Kudos
mbcarnes79
Contributor
Contributor

1. What version of vRA?

- 7.3 (latest build)

2. What is your vRA architecture? Is it minimal, distributed, or redundant distributed?

- Enterprise build with the vRA appliance, a single IaaS server and a single SQL server.  The plan is to build in HA down the road, but currently just trying to get this implemented.

3. Have you verified you can add AD as an LDAP source using those same credentials to verify the account has no connection issues?

- Yes, I have added AD as an LDAP source using the same credentials. 

pastedImage_13.png

4. Do you have many trust relationships with other domains in your environment?

- None.  This is a greenfield environment segmented from our production environment

5. Try the attempt again and post the resulting messages from /var/log/messages and /storage/log/vmware/horizon/horizon.log.

- Will do.  I will post this in a separate response.

6. Is SMBv1 disabled on your domain controller(s)?

- Yes

Thanks again for the responses!
Mike

Reply
0 Kudos
mbcarnes79
Contributor
Contributor

I figured it might be easiest just to attach the logs.  I see a ton of java.io.IOException error messages in the horizon log file, so to keep it a little smaller I cut out anything that was more than a few hours old.

Reply
0 Kudos
daphnissov
Immortal
Immortal

Login to the VAMI on the appliance (port 5480). Check vRA Settings -> Messaging. Does it show connected and running? Check 'Services' tab. Are all registered?

Reply
0 Kudos
mbcarnes79
Contributor
Contributor

Yep, it looks like it!

pastedImage_0.png

Reply
0 Kudos
daphnissov
Immortal
Immortal

One last thing, have you tried simply rebooting the appliance? In 7.3 and 7.2, sometimes "weird" things happen when the system has not been rebooted at least once since initial deployment and configuration. If you've not already done so, hit the reboot button for good measure.

Reply
0 Kudos
mbcarnes79
Contributor
Contributor

The reboot did appear to clear up the rabbit errors that I was seeing, but unfortunately it did not fix the AD join issue.  I was hoping this would be a simple fix, but alas, it was not!  I will open a ticket with support, and will update this thread once a resolution is (hopefully) found.

Thanks again for your assistance, it is much appreciated!
Mike

Reply
0 Kudos
daphnissov
Immortal
Immortal

Do let us know in this thread the outcome of your SR. My only thought is that SMBv1 could be the blocker, but I can't test that for you currently. I know in previous versions SMBv1 was required or else issues would result. You might directly ask the engineer assigned if that is still a requirement.

Reply
0 Kudos
hicall
Contributor
Contributor

Hi mbcarnes79,

Could you please share what is the support said to resolve this issue ?

Because i have same problem, cannot sync to directory using AD with IWA. So i'm using AD over LDAP but when tried to find group there is some error :

Prolem querying for query telnet.

Thanks

Regards,

Haikal

Reply
0 Kudos
virtualdive
VMware Employee
VMware Employee

Did you find solution to this please?

Thanks,

VD

Regards,

'V'
thevshish.blogspot.in
vExpert-2014-2021
Reply
0 Kudos
priscillagr
Enthusiast
Enthusiast

So, i was having this problem right now.

Authetication Over LDAP went ok, but IWA didn't work. I keep getting the "Operation can only be performed by an admin of the master tenant". Tried over 5 times and no success.

Then, I did a test putting the wrong password in my Bind User ( just to see the a different error. Of course it told me the password was wrong) and then i tried again with the right password and IT WORKED.

So i don't know why it worked, but i know how frustrating it is to solve these kind of problems, so why not share it right?

Hope it can help someone!

Reply
0 Kudos
virtualdive
VMware Employee
VMware Employee

In the 'Connectors' do you see the vRA node connected to AD domain. If not can you join that node to domain first and then try creating the IWA.

Regards,

'V'
thevshish.blogspot.in
vExpert-2014-2021
Reply
0 Kudos
rajancs003
Contributor
Contributor

Hi,

Did you get any solution I am facing the same issue.

Reply
0 Kudos