Search the VMware Knowledge Base (KB)
View by Article ID

Logging in to a tenant with verified administrator credentials or user credentials fails in vRA 6.2.x (2116525)

  • 5 Ratings
Language Editions

Symptoms

  • Unable to log in to VMware vRealize Automation tenants.
  • Logging in to VMware vRealize Automation fails with a splash screen.
  • You see the error:

    Login failed. Please contact your system administrator and report error code XXXXXX

  • For the tenants, identity stores are missing or test connection to all identity stores are failing.
  • In the catalina.out file of VMware vRealize Automation appliance, you see entries similar to:

    com.vmware.vcac.authentication.service.impl.SolutionCertificateUpdater.checkCertificatesExpiration:23 - Checking solution certificates...
    vcac: [component="cafe:identity" priority="INFO" thread="taskScheduler-1" tenant=""] com.vmware.vcac.authentication.service.sso.TenantManagement.renewSolutionCertificateIfExpiring:796 - Validating solution certificate under alias csp-admin
    vcac: [component="cafe:identity" priority="INFO" thread="taskScheduler-1" tenant=""] com.vmware.vcac.authentication.service.sso.TenantManagement.renewSolutionCertificateIfExpiring:803 - Certificate under alias csp-admin for solution user csp-admin-286f91f7-f0dc-49f0-962f-bf7e36950206 will be replaced.


    Note: You will need to go to the logs for the days when the issue has started. These logs will be shown only on that day.

  • In the  websso.log file, you see entries similar to:

     tomcat-http--8 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] setTenant: <TENANT>
     tomcat-http--8 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] getCertificatesForRelyingParty
    https://<FQDN>/vcac/org/<TENANT>/saml/websso/metadata
     tomcat-http--8 DEBUG com.vmware.identity.samlservice.impl.CasIdmAccessor] getIdpEntityId
     tomcat-http--8 DEBUG com.vmware.identity.samlservice.impl.SamlServiceImpl] Verify signature, message SAMLRequest=zVV...3Nv&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F
    04%2Fxmldsig-more%23rsa-sha256, sigAlg SHA256withRSA, signature EkZ...WFA==
     tomcat-http--8 DEBUG com.vmware.identity.samlservice.impl.SamlServiceImpl] signature verifies: false
     tomcat-http--8 DEBUG com.vmware.identity.BaseSsoController] Caught parsing exception java.lang.IllegalStateException: java.lang.IllegalStateException: Signature verification failed.

  • In the SSO’s ssoAdminServer.log file, you see entries similar to:

    • INFO  com.vmware.identity.vlsi.SessionManagerImpl] User {Name: csp-admin-e686be75-90da-4c2a-984a-9b5f1371e1ca, Domain: vsphere.local} with role 'GuestUser' logged in successfully.
      pool-12-thread-1  INFO  com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: csp-admin-(RANDOM-STRING), Domain: vsphere.local} with role 'GuestUser' is authorized for method call 'IdentitySourceManagementService.getSslCertificateManager'
      pool-12-thread-2  INFO  com.vmware.identity.vlsi.RoleBasedAuthorizer] User Anonymous is authorized for method call 'ServiceInstance.retrieveServiceContent'

    • [2016-09-01 16:19:47,607 pool-2-thread-5 INFO com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Vmodl method 'IdentitySourceManagementService.getActiveDirectoryAuthnAccountInfo' return value is 'com.vmware.vim.binding.sso.admin.AuthenticationAccountInfo:
       userName = null,
       spn = null,
       useMachineAccount = true
       inherited from com.vmware.vim.binding.sso.admin.AuthenticationAccountInfo@27df4609'
      [2016-09-01 16:20:05,621 pool-3-thread-3 INFO com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: csp-admin-59379f8d-3a22-41ec-a65e-eb1459600b02, Domain: usyd} with role 'RegularUser' is not authorized for method call 'IdentitySourceManagementService.getDefaultDomains'
      [2016-09-01 16:20:05,654 pool-3-thread-1 INFO com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: csp-admin-59379f8d-3a22-41ec-a65e-eb1459600b02, Domain: usyd} with role 'RegularUser' is authorized for method call 'SessionManager.logout'
      [2016-09-01 16:20:05,654 pool-2-thread-4 INFO com.vmware.identity.vlsi.SessionManagerImpl] Logout called
      [2016-09-01 16:20:05,654 pool-2-thread-4 INFO com.vmware.identity.vlsi.SessionManagerImpl] User {Name: csp-admin-59379f8d-3a22-41ec-a65e-eb1459600b02, Domain: usyd} with role 'RegularUser' logged out.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Cause

This issue occurs due to an expired VRA CAFÉ csp-admin solution user certificate. When you try to renew the solution user certificate, some of the existing permissions are revoked.

Resolution

Important: VMware recommends that you take a backup of SSO server, vRealize Automation appliance, and postgres database before making any changes to the Identity or SSO server.
 
This issue is resolved in vRealize Automation 6.2.5, available at VMware Downloads.
 
To resolve this issue if you do not want to upgrade:
  1. Download and install the jxplorer from http://jxplorer.org/downloads/  and connect to the SSO directory.
  2. Log in to the default tenant and perform these steps:

    1. To configure Jxplorer connection for default tenant:

      1. Open a new connection.

        Note: If you are using SSO from vSphere 5.5, the port should be changed to 11711 or 11712 from 389.

      2. For host, enter the FQDN of your vRealize Automation Identity or SSO Server.

        • The protocol is LDAP v3.
        • Base DN will be  dc=vsphere,dc=local.
        • The Security Level will be  User + Password.
        • The Security User DN will be  cn=administrator,cn=users,dc=vsphere,dc=local
        • The Security Password will be your administrator password for the Identity or SSO sever.

    2. Navigate to worldlocal > vsphere Builtin > Administrators.
    3. Ensure that the member attribute with the  csp-admin-(random string) value is present.

      If a member attribute is not present:

      Navigate to world > local > vsphere > Builtin > User and ensure that the member attribute with the csp-admin-(random string) value is present.

    4. In the Users table, copy the  csp-admin-(random string).
    5. Navigate to world > local vsphere > Builtin > Administrators.
    6. Right-click a member attribute and select Add Another Value.

      This creates a new member line item.
    7. Paste the  csp-admin-(random string) value copied in step c to the Administrators table.
    8. Click Submit.

  3. For all the other tenants, repeat these steps.

    1. Double-click twice on the World icon, you will see all the tenants.
    2. Browse to Test tenant.
    3. Navigate to world > tenant Builtin > Administrators.
    4. Ensure that the member attribute with the  csp-admin-(random string) value is present.

      If a member attribute is not present:

      Navigate to world > local vsphere > Builtin > User and ensure that the member attribute with the csp-admin-(random string) value is present.
    5. In the Users table, copy the  csp-admin-(random string).
    6. Navigate to world > tenant Builtin > Administrators.
    7. Right-click a member attribute and select add another value.

      This creates a new member line item.
    8. Paste the  csp-admin-(random string) copied in step d to the Administrators table.

      Note: Select the corresponding csp-admin-(random string) with a different DC for every tenant.
    9. Click Submit.



  4. Re-register with SSO.
    1. Navigate to vRA VAMI > vRA settings > SSO.
    2. Re-register the SSO.
    3. Wait for the VCAC services to start.

  5. Log in to the default tenant. Perform these steps for each tenant:

    1. Go to Tenants and select the affected tenant and verify the information.
    2. Enter the administrative password and click Update.
    3. Go to Identity Providers for each tenant and test the connection of identity stores.
    4. If Identity Store Connections are successful, click Update and log in to the tenant.

    Note: The following steps are optional, and may not be applicable in all environments.

  6. If the preceding steps do not resolve your issue, perform these steps:
      
    1. Connect to the vRealize Automation appliance using SSH or console.
    2. Run this command:

      /usr/sbin/vcac-config import-certificate --alias websso --url  https://sso_fqdn:7444/

    3. Reboot the VMware vRealize Automation appliance.
    4. Register the first VMware vRealize Automation appliance with SSO again and wait for all services to show REGISTERED, except vRealize Orchestratorand iaas-service.
    5. Check if IAAS solution user certificate has expired. You can go to IIS in IAAS machine and verify the solution user certificate is valid. If there are multiple solution user certificates are present, ensure at least one of them is valid.
    6. If the solution user certificate has expired, see the Knowledge Base article - Registering VMware vRealize Automation 6.x Solution User certificate using the vcac-config.exe command in Iaas fails with the error: The remote certificate is invalid according to the validation procedure (2101390) for more information on how to regenerate the certificate.
    7. Log in to the default tenant. Perform these steps for each tenant:
      1. Go to Tenants and select the affected tenant and verify the information.
      2. Enter the administrative password and click Update.
      3. Go to Identity Providers for each tenant and test the connection of identity stores.
      4. If Identity Store Connections are successful, click Update and log in to the tenant. 

Additional Information

To be alerted when this article is updated, click the Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 5 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 5 Ratings
Actions
KB: