I have been attempting to run the workflow "Add a vCAC Host" and it keeps failing with Invalid credentials. I have tried the local Administrator account on the IaaS system, an AD Account that is in the Administrators group and the AD based Service Account that the IaaS components are installed as. NOne of them have worked.
How can I dig deeper to figure out what's not working right and what credentials I need for this?
Has anyone been able to do this with AD based service account?
Solution:
Setup
ROOT\vCACp & CHILD\vCACt in Administrator group on IaaS.Child.local
Testing Access
Go to https://iaas.child.com/repository/data/MetaModel.svc/ and put in
ROOT\vCACp credential and it works fine. It returns the XML.
CHILD\vCACt credential and it works fine. It returns the XML.
So permissions work on the IaaS side.
Go to vCO and run the "Add to vCAC Host" and put in vCACp ID with ROOT Netbios name. Fails..
Try again with vCACt using the CHILD netbios name.. works correctly.
Apparently there is a known limitation/issue with vCO and cross domain trust usage. Not sure of the details and am still digging for a KB or some other details around this.
I think you are using backslash ("\") as pointed in this post Add vCenter Orchestrator as a vCloud Automation Center endpoint | VCDX56
Hope it helps,
Preetam
vZare.com
Doesn't look like it. Tried again with no success adding the vCAC host. Other thoughts?
You may try to add the certificate of the vCAC host in the vCO web configuration certificate tab
SSL Certs are added and accepted.
This is the error I get. This happens when I use my ID (which is in the local administrators group on the Windows box).
com.vmware.o11n.plugin.dynamicops.ServiceException: HTTP/1.1 401 Unauthorized : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>401 - Unauthorized: Access is denied due to invalid credentials.</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div></div></body></html> (Workflow:Add a vCAC host / Add a VCAC host (item0)#54020)
My IaaS box is one one domain and the ID is in the master trusted domain where IDs reside. These two domains ROOT, TEST (names changed to protect the innocent) are fully trusted.
How can I help narrow down what credential I need? Is there a way to test this outside of vCO so I can maybe narrow down what the issue is?
You can test the credentials without vCO with opening : http://vCAChost/Repository/Data/ManagementModelEntities.svc
That works with my ID both from my workstation and from the IaaS server. It also works fine with the service AD account.
I have tried entering the ID as
<domain>\<ID>
<id>@<domain>
with the NTLM domain listed as both
<ROOT domain>
<Child domain>
Same error on access issue.
What next? It seems that I have permissions and there's something I'm missing in this flow and making it work right.
If I recall well on my lab setup I just use administrator for user and DOMAIN for NTLM domain (since my vCAC is also a domain controler).
That isn't quite an enterprise level setup then. Central identity management goes on here.
I have tried using the local administrator account also. Do you mean literally to use "DOMAIN" or do you mean your domain name?
Tried all those.. much appreciate the thoughts. What next?
My domain name (not the FQDN, the windows non dotted one).
What plug-in version do you have ?
Tried those different iterations of the domain name.
Version info:
vCAC plugin 6.0.0.
Add a vCAC Host workflow is version 1.0.12.
Hi ..
Did you ever figure out how to resolve this? I'm getting the exact same issue and nothing seems to be working. . :smileyplain:
Not yet for my environment. I have opened a ticket on it and am exploring this as everything appears that it should work from both the excellent suggestions offered here to all the various website and blogs.
Solution:
Setup
ROOT\vCACp & CHILD\vCACt in Administrator group on IaaS.Child.local
Testing Access
Go to https://iaas.child.com/repository/data/MetaModel.svc/ and put in
ROOT\vCACp credential and it works fine. It returns the XML.
CHILD\vCACt credential and it works fine. It returns the XML.
So permissions work on the IaaS side.
Go to vCO and run the "Add to vCAC Host" and put in vCACp ID with ROOT Netbios name. Fails..
Try again with vCACt using the CHILD netbios name.. works correctly.
Apparently there is a known limitation/issue with vCO and cross domain trust usage. Not sure of the details and am still digging for a KB or some other details around this.
Can you please provide more information on the solution. I am having similar issue.
My Windows 2008 server IAAS is in CORP.VCAC domain
Username used is Administrator@corp.vcac (or CORP.VCAC\Administrator)
I am trying to add an Iaas host using below values, but not working
Authentication Username: Administrator
Authentication Password: { its password}
Workstation for NTLM authentication:
Domain for NTLM authentication: CORP.VCAC
I have tried NTLM domain as CORP.VCAC or VCAC or CORP or CHILD or ROOT, but no luck.
Same issue here. In my environment, the exception in the workflow stated "401 - Unauthorized: Access is denied due to invalid credentials." I confirmed the account had the proper rights though by accessing https://iaasserverfqdn/repository/data/MetaModel.svc/
So my guess was the syntax wasn't right. I confirmed this in the Windows Security Log on the IaaS server. I found failed logon attempts where the Account Domain didn't look right.
I had to specify our netbios domain name in the Domain for NTLM Authentication prompt, and then it worked.
Try using the service account you're running the IaaS components as.
Same here. I am actually running vRA 6.2 using the integrated vRO engine. No Parent and Child domain
Anyone managed to find a solution ?