VMware Cloud Community
softadminupfcu
Contributor
Contributor

Initial setup of VCSA... AD Intergration... Had to replace certs. Now VCSA not available from web or client

Good day, and I hope yours is better than mine...

Just downloaded and set up VCSA 6.0 U2.  Finally got it to join my domain*.  Added admin group from domain and gave them permissions.  Every time I tried to use NT authentication (the checkbox) it would error out.

I found and followed articles 2020970 and 21112283.  Now I am unable to log into the web client nor the vSphere client.

web client yeilds this

A server error occurred.

[500] SSO error: Cannot connect to the VMware Component Manager https://vcenter.sso.unitedpolicefcu.com/cm/sdk?hostid=827ac00b-1131-452e-b9fa-6b69a3a3f7ef

Check the vSphere Web Client server logs for details.

          vsphere client says

Windows session credentials cannot be used to log into this server   (which is what started the 2 KBs above)

or

Cannot complete login due to incorrect user name or password  (I tried SSO Admin, domain user, appliance root user)

I have tried the certificate replacement steps (option 8, then 8, then 3, then 4, then 8 again).  Each ends with errors similar to this:

Status : 45% Completed [Replace machine Cert...]            
Status : 50% Completed [Replace vsphere-webclient Cert...]            
Status : 55% Completed [Replace vpxd Cert...]            
Status : 60% Completed [Replace vpxd-extension Cert...]            

2016-03-29T18:35:36.382Z   Updating certificate for "com.vmware.vim.eam" extension

Status : 0% Completed [Operation failed, performing automatic rollback]

           

Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

Performing rollback of Root Cert...

Rollback Status : 0% Completed [Rollback Root Cert...]            
Rollback Status : 30% Completed [Rollback Machine SSL Cert...]            

Get site name

hq

followed by this at the end of the roll back

Updated 0 service(s)

Rollback Status : 40% Completed [Rollback machine Cert...]                 

Rollback Status : 50% Completed [Rollback vsphere-webclient Cert...]                 

Rollback Status : 60% Completed [Rollback vpxd Cert...]                 

Rollback Status : 70% Completed [Rollback vpxd-extension Cert...]                 

2016-03-29T18:36:23.960Z   Updating certificate for "com.vmware.vim.eam" extension

Error while reverting certificate for store : vpxd-extension

Rollback Status : 0% Completed [Rollback operation failed]

                

Error while performing rollback operation, please try Reset operation...

please see /var/log/vmware/vmcad/certificate-manager.log for more information.


Thanks for the help from Stumped in Miami.

*  And for those of you getting Error 11 on trying to join the domain go into the SCVA web portal, drill down to the actual network settings and switch the DNS to manual.  Sorry I can't be specific on the actual path to this setting.  Although I gave it specific DNS at set up and a static IP I finally found that it had reverted to getting DNS from DHCP...  Hope this helps.

Reply
0 Kudos
3 Replies
danb1982
Contributor
Contributor

We have a very similar problem running vCenter 6.0u2 on Windows. We've tried options 1&5 to replace certificates using a custom CA rather than the VMCA. Resetting (option 😎 also fails. We are also unable to connect with the thick client and web client. If we find a resolution I'll update this.

Reply
0 Kudos
danb1982
Contributor
Contributor

We were able to get our issue resolved with the help VMware tech support. Apparently there is an "undocumented feature" that was released in 6.0u1b and carried over into 6.0u2. When generating your CSRs you need the following OU names:

For the MACHINE CSR use "Root" for Organizational Unit (OU)

For User Solution User Certificate CSRs:

  • For Machine, use "Machine" as OU
  • For vsphere-webclient, use "WebClient" as OU
  • For vpxd, use "VPXD" as OU
  • For vpxd-extension, use "VPXD-EXT" as OU

Lastly, when providing the root signing certificate, you need to provide the full chain (trusted CA + intermediate) and not just the trusted CA.

Hope this info helps you out if you haven't already resolved your issue. We were able to get running on custom certs using a Microsoft CA (options 1 & 5 in the certificate manager) using the info above.

Jcates28
Contributor
Contributor

I can confirm this works if anyone was wondering. @Danb1982 Thanks for your response here it helped me out!

I was having a similar issue here, and find that this is not well covered by any documentation or Forums currently.

Reply
0 Kudos