vCenter

 View Only
  • 1.  VCSA 6 Joining AD breaks the VCSA

    Posted Mar 23, 2015 04:16 PM

    Hi all,

    I have followed the directions for joining VCSA 6 to AD to a "T", and noticed a couple strange things:

    • When I click OK following the "Join Active Directory" step, there is no indication of a task being completed. It just dumps me back at the same screen where I started, with no domain or OU listed
    • When I reboot the VCSA, after about 20 minutes I am able to attempt to log-on, but get this message:

    A server error occurred.

    [400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: null.

    Check the vSphere Web Client server logs for details.



  • 2.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Mar 23, 2015 05:04 PM

    One other thing: the /etc/krb5.conf file contains valid information for the domain I am trying to join and the time on the VCSA is accurate



  • 3.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Mar 23, 2015 07:48 PM

    I downloaded the log file bundle and found this:

    2015-03-23T15:43:58.065145+00:00 vcsa-101 netlogond[4863]: 0x7f636a761700: Failed ldap search on 172.20.0.10 error=40290

    That is the correct DC and it is pingable from the VCSA, and there is no firewall/Windows Firewall issue



  • 4.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Mar 24, 2015 07:35 PM

    Rebooted the VCSA twice and now I can log-in!

    I did one thing, but made no changes other than a last reboot. Here's what I did:

    I ran the following commands:

    hostname

    hostname -s

    cat /etc/hosts

    /opt/vmware/share/vami/vami_config_net

    hostname and hostname -s both echoed the shortname of my VCSA

    cat /etc/hosts showed a correctly formatted hosts file with: IP     FQDN     shortname

    /opt/vmware/share/vami/vami_config_net Option 3 showed a correct hostname


    I don't know that there is an answer, but the issue is resolved.



  • 5.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Apr 19, 2015 06:14 AM

    Hi, I'm getting the same issue exactly. What are the directions you followed i haven't found any?

    The steps i've done:

    * join the machine to AD (successful - appears in proper OU in AD)

    * Admin/SSO/Config Added identity source (use machine account)

    * Admin/SSO/Users+Groups/Groups/ click + to add user to specified group, select my AD domain name from list "cannot load the users for the selected domain"

    Tried logging in with windows authentication got your error. Not that I expected it to work without adding anyone to a group.

    Did you do anything else? Were you able to load users?



  • 6.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Apr 19, 2015 07:13 AM

    Fixed my problem. For others out there using windows PKI, vmware does not support dhe-rsa which is the default since 2008r2 in windows pki. change your capolicy.inf to alternatesignatures=0 (to force v1 or 1.5 i forget PKCS #1 format). Then reissue all your CA certs, go to each domain controller and renew each certificate. URGH!! VMWARE!!! Its 2015!!! Why still you only support rsa and not dhe-rsa?



  • 7.  RE: VCSA 6 Joining AD breaks the VCSA

    Posted Aug 17, 2016 09:53 PM

    In my case that was an issue related to the date / time.

    The SSO service was not starting and make 400 / 503 errors on the web interfaces.(vcenter 503 Service Unavailable (Failed to connect to endpoint)... and [400] An error occurred while processing the authentication response from the vCenter Single Sign-On server)

    I had to correct the time zone int the admin interface (https on port 5480) and reboot.