Hello all,
We did a in-place upgrade from version 6.0 to version 6.5 and recently wanted to take advantage of the Active Directory 2012R2 feature of the "Protected Users" group. After adding our privileged accounts into this group we realized we could no longer login to vcenter. We were receiving an error message basically saying the password was incorrect.
I stumbled upon this VMware KB Article: VMware Knowledge Base which I think explains the issue we are having.
We are trying to implement option 3 listed in that KB.... However, just trying to make any change that Identity Source results in me receiving the error message noted in the KB: "A vCenter Single Sign-On service error occurred".
It doesn't seem to matter what I do.. we receive that message. Even trying to edit the current Identity Source and change it to LDAP only with no SSL -- I still receive that message.
Has anyone run into this issue?
Did you find anything interesting in ssoAdminServer.log (/var/log/vmware/sso)
Also, have you tried removing and re-adding the identity source. (Please take snapshot)
Hello,
I have seen one of the community article for AD authentication. Please check if it can help you .
After upgrade to 6.5 update 1 broken AD authentication
if you problem will not resolve please share log with us .
Regards
Randhir
Please, don't forget the awarding points for "helpful" and/or "correct" answers.
I'm basically receiving the same errors in the ssoAdminServer.log that the KB says. I changed the username to: <USRNAME> and the domain to <DOMAIN>.
This error was generated when I tried to specify one domain controller without security on port 389, did not check the box for SSL.
[2018-08-05T13:09:46.929-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58195-ngc:70002579 INFO com.vmware.identity.vlsi.RoleBasedAuthorize
r] User {Name: <USRNAME>, Domain: <DOMAIN>} with role 'Administrator' is authorized for method call 'ServiceInstance.retrieveServiceCont
ent'
[2018-08-05T13:09:46.955-04:00 pool-4-thread-2 opId=IdentitySourceWizard-apply-58196-ngc:70002579 INFO com.vmware.identity.vlsi.RoleBasedAuthorize
r] User {Name: <USRNAME>, Domain:<DOMAIN>} with role 'Administrator' is authorized for method call 'IdentitySourceManagementService.upd
ateLdapAuthnType'
[2018-08-05T13:09:46.955-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 INFO com.vmware.identity.admin.vlsi.IdentitySour
ceManagementServiceImpl] [User {Name: <USRNAME>, Domain:<DOMAIN>} with role 'Administrator'] Updating the authentication type of ldap i
dentity source with name '<DOMAIN>' to 'password'
[2018-08-05T13:09:47.011-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 ERROR com.vmware.identity.admin.server.ims.impl.I
dentitySourceManagementImpl] 'IdentityStore certificates' value should not be empty
[2018-08-05T13:09:47.011-04:00 pool-4-thread-4 opId=IdentitySourceWizard-apply-58196-ngc:70002579 ERROR com.vmware.identity.admin.vlsi.IdentitySour
ceManagementServiceImpl] 'IdentityStore certificates' value should not be empty
java.lang.IllegalArgumentException: 'IdentityStore certificates' value should not be empty
at com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl.updateLdapAuthnType(IdentitySourceManagementImpl.java:602) ~[sso-
adminserver.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:298) ~[sso-adminserve
r.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl$9.call(IdentitySourceManagementServiceImpl.java:286) ~[sso-adminserve
r.jar:?]
at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:160) [sso-adminserver.jar:?]
at com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl.updateLdapAuthnType(IdentitySourceManagementServiceImpl.java:286) [ss
o-adminserver.jar:?]
at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_162]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]
at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:65) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_162]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_162]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
I have not tried removing and re-adding the identity source but was going to and will snapshot the environment vcenter & pscs. This is currently in our Test environment... if the fix is remove and re-add the identity source I don't think that's really going to be a very good option for our production environment. We have a lot of delegation of rights configured.
How was the identity source configured in 6.0?
Was it AD over LDAP or IWA??