ncekic
Contributor
Contributor

vRO 7.3 Internal Server Error when accessing controlcenter

Hey Guys

i´ve just deployed an vRO7.3 and configured it to use sso. I´ve put the right sso vcenter, the admin creds, the admingroup accepted the certificate. Checked the validation, everything was green only reboot was missing. After rebooting the appliance i was able to Login to the vRO application with my AD credentials and was in the vRO. Thought perfect everything fine.

Then i went to the controlcenter and got this error:

HTTP Status 500 - Internal Processing Error

type Status report

message Internal Processing Error

description The server encountered an internal error that prevented it from fulfilling this request.


Pivotal tc Runtime 3.1.5.RELEASE/8.0.36.A.RELEASE

In the browser adress bar i saw: https://myvcentersso.com/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRbb5swF ..................

I´ve got the same error several months ago and cannot remember exactly the Problem. I only now that i´ve deployed the appliance again did a snapshot, and configured the SSO again and again. At one Point i´ve changed anything during the sso configuration. Maybe the IP instead of FQDN??

Does anyone have an idea what to do???

Is it possible to reset the appliance without reinstalling? Maybe a SSO reset, so that i can connect again to the Control Center and configure again?

0 Kudos
5 Replies
daphnissov
Immortal
Immortal

0 Kudos
ncekic
Contributor
Contributor

ok i will try to reset the sso config over ssh.

is there anything i should know when reconfiguring???

0 Kudos
daphnissov
Immortal
Immortal

Like what? The script just resets access so that you can configure it properly once again.

0 Kudos
ericr999
Enthusiast
Enthusiast

I had the same issue, and done the same procedure over and over with the support. And we haven't found a solution so far. But in my case, I only get this error in my prod, where I have 2 VRO Server. And I will get this error only on the second node. In my preprod, I also have two vro Server, both linked to another Active Directory, and both vro nodes are working without issue.

Also, when doing the reset it will not reset the sso authentification done within the VRO Server, but it will reset the authentication with the Control Center.

But also, this issue helped me realized that with a cluster and sso, 7.3 is not yet ready. I mean the cluster part is working fine, but I don't have enough control over the cluster. When the cluster is enabled, and sso is activated for the Control Center, you loose access to connect to node 1 or node 2 specifically. So, you cannot restart a specific node, by reading the documentation regarding the cluster information and load balancing stuff, something is not right.

Because if you have vro node 1 down, and want to restart it. You access the control center which is now load balanced, but the monitor is based on the documentation page, which will probably work since its monitoring the control center service, but what you need to restart is the vro server, so you can't access node 1 via http directly because you could be redirected to whatever node the load balancer decides. Anyway I reported that to the dev team already.

Also, the access to http is vital to me, since our security team prevent us from using ssh. ssh should be enabled in extreme cases. So for this reason, I've removed the sso authentication from the Control Center, and now I'm only using root.

Another detail, when doing the reset, and reconfiguration, you will need the account/password to authenticate with your vcenter/psc, important to know since in my case I don't have that account, I must always get the team that does...

0 Kudos
daphnissov
Immortal
Immortal

But also, this issue helped me realized that with a cluster and sso, 7.3 is not yet ready. I mean the cluster part is working fine, but I don't have enough control over the cluster. When the cluster is enabled, and sso is activated for the Control Center, you loose access to connect to node 1 or node 2 specifically. So, you cannot restart a specific node, by reading the documentation regarding the cluster information and load balancing stuff, something is not right.

You can connect to those nodes directly. In the 7.3 load balancing documentation (as changed from the 7.2), they suggest to implement a VIP for control center. I see no need for this and don't do that. When you remove that VIP, you can connect to the individual nodes. There's little point in balancing 8283, so I just don't do it.

Something else to check although it's not related to this thread, but enable session persistence on the 8281 VIP (app-server) and set to SSL Session. This isn't spelled out well at all and is terribly inconsistent, which I've reported a couple times now.

0 Kudos