Unable to add permissions or Unable to add any identity source in vCenter 6.x

-

ssoAdminserver logs

[INFO ][2019-12-19T14:50:25.432Z][k4cu9c27-323-auto-91-h5:70000118] auditlogger - {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"12/19/2019 14:50:25 UTC","description":"Registering the Active Directory as identity source
with domain Name 'LAB.LOCAL'","eventSeverity":"INFO","type":"com.vmware.sso.IdentitySourceManagement"}
[INFO ][2019-12-19T14:50:25.432Z][k4cu9c27-323-auto-91-h5:70000118] IdentitySourceManagementServiceImpl - [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Registering the Active Directory as identity source w
ith domain Name 'LAB.LOCAL'
[INFO ][2019-12-19T14:50:25.488Z][k4cu9c27-323-auto-91-h5:70000118] PooledLdapConnectionFactory - New connection created in pool PooledLdapConnectionIdentity [tenantName=null, username=vcsalab.org@vsphere.local, authType=SRP, us
eGCPort=false, connectionString=ldap://localhost:389]
[WARN ][2019-12-19T14:50:25.551Z][k4cu9c27-323-auto-91-h5:70000118] LdapErrorChecker - Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 1
[ERROR][2019-12-19T14:50:25.556Z][k4cu9c27-323-auto-91-h5:70000118] IdentityManager - Failed to add identity provider for tenant [vsphere.local]
[ERROR][2019-12-19T14:50:25.556Z][k4cu9c27-323-auto-91-h5:70000118] ServerUtils - Exception 'com.vmware.identity.interop.ldap.OperationsErrorLdapException: Operations error LDAP error [code: 1]'


vmdird syslog

2019-12-18T10:59:17.368888+00:00 err vmdird  t@140252710672128: UpdateServerObject: InternalModifyEntry failed. Error code: 1, Error string: Schema check failed - (9612)(Objectclass (vmwDirServer) is not defined in schema)
2019-12-18T10:59:48.033055+00:00 err vmdird  t@140252710672128: UpdateServerObject: InternalModifyEntry failed. Error code: 1, Error string: Schema check failed - (9612)(Objectclass (vmwDirServer) is not defined in schema)
019-12-19T15:09:08.088685+00:00 err vmdird  t@140036292978432: CoreLogicModifyEntry failed, DN = CN=81FD31A929956E9A1AEC546701B114C6EC48E74A,CN=Certificate-Authorities,cn=Configuration,dc=vsphere,dc=local, (9612)(Schema check failed - (9612)(Objectclass (vmwCertificationAuthority) is not defined in schema))
2019-12-19T15:09:08.089737+00:00 err vmdird  t@140036292978432: VmDirSendLdapResult: Request (Modify), Error (1), Message (Schema check failed - (9612)(Objectclass (vmwCertificationAuthority) is not defined in schema)), (0) socket (127.0.0.1)
(END)


Resolution :


Appliance Based Platform Services Controller:


  • Ensure to take a snapshot or Backup of the VCSA and PSC 
  • Connect to the Platform Services Controller with an SSH session as root.
  • Stop the Platform Services Controller services 
  • Run this command to update the VMdir Schema:
  • /usr/lib/vmware-vmdir/sbin/vmdird -c -u -f /usr/lib/vmware-vmdir/share/config/vmdirschema.ldif
  • Start the Platform Services Controller services 
  • Re-add the identity source 

Windows Based Platform Services Controller:


  • Log in to the Platform Services Controller machine as an Administrator.
  • Open an administrative command prompt.
  • Change to the Platform Services Controller installation directory:
  • cd C:\Program Files\VMware\vCenter Server\bin
  • Note: This is the default installation path. If you have installed the Platform Services controller to another location, modify this command to reflect the correct install location. 
  •  stop all services: 
  • Run this command to update the VMdir Schema:
  • C:\Program Files\VMware\vCenter Server\vmdird\vmdird.exe -c -u -f C:\ProgramData\VMware\vCenterServer\cfg\vmdird\vmdirschema.ldif
  • Note: This command uses the default installation path. If you have installed the Platform Services controller to another location, modify this command to reflect the correct install location. 
  • start all services and re-add the identity source 


Below is a different KB but you can use it as a reference to update the schema.ldif file 

https://kb.vmware.com/s/article/2144612      -à Deploying or Installing an additional Platform Service Controller 6.0 Update 1b fails during vmafd firstboot (2144612)

Comments

Post a Comment

Popular posts from this blog

VAPI Endpoint service failure

-
VAPI Endpoint service failure  ERROR | state-manager1            | StsBuilder                     | Failed to acquire token for the solution user 2018-11-15T21:50:42.647Z | ERROR | state-manager1            | DefaultStateManager            | Could not initialize endpoint runtime state. com.vmware.vapi.endpoint.config.ConfigurationException: com.vmware.vim.sso.client.exception.AuthenticationFailedException: Provided credentials are not valid.         at com.vmware.vapi.endpoint.cis.StsBuilder.createToken(StsBuilder.java:182)         at com.vmware.vapi.endpoint.cis.StsBuilder.rebuild(StsBuilder.java:77)      ...
Read more

Replacing vROPS Certificates

-
Image
Issue:  When using default certificates in vROPS  Due to security requirements it was necessary to replace the default self-signed certificates with a trusted certificate signed by an internal CA. Unlike vCenter, vROPS uses a common name vc-ops-slice-1 followed by slice-2 for data and other node, where vCenter has SAN names in the default certificate so when you add the root of the local machine trusted store then the vCenter url shows secured. In order to make the secure SSL we have to generate the CSR and get it signed by any third party SSL vendors or our own Microsoft CA.  I will be generating a CSR and getting signed by internal Microsoft CA .We can refer this below article from VMware as reference.  https://kb.vmware.com/s/article/2046591?lang=en_us Steps:  1.The first step is to create a new private key from taking a SSH session to master node vROPS. openssl genrsa -out vrops.key 2048 2. Using the configuration file below make sure to provide de...
Read more

vPostgres service fails to start with Fatal error : bogus postmaster.pid

-
I came across this issue today where vPostgres service was failing on VCSA with error Fatal Error. # service-control --start vmware-vpostgres Perform start operation. vmon_profile=None, svc_names=['vmware-vpostgres'], include_coreossvcs=False, include_leafossvcs=False 2019-11-06T21:38:14.283Z   Service vmware-vpostgres state STOPPED Error executing start on service vmware-vpostgres. Details {     "resolution": null,     "detail": [         {             "args": [                 "vmware-vpostgres"             ],             "id": "install.ciscommon.service.failstart",             "localized": " A...
Read more