Wednesday, 5 December 2012

vSphere: A general system error occurred: Authorize Exception

This article may help you, if  solution from VMware Knowledge Base titled vCenter Server login fails with error: A general system error occurred: Authorize Exception not helps.

Symptoms (as from KB)

  • vCenter Server services are running, but a user that was previously able to log into vCenter Server no longer can
  • A local admin account is able to log in, but domain users cannot
  • You see this error:

    A general system error occurred: Authorize Exception

Additionally

  • Re-joining to domain don't help
  • Your primary (and secondary)  Domain Controllers which was used before were changed
  • C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf contains wrong kdc entries.
    NB: Don't try to edit this file. It's automatically generated.

Cause

  •  Single-Sign-On service uses old DC name(s) when binds to Active Directory

Resolution

  1.  Install vSphere WebClient (don't forget that you should use admin@System-Domain username in order to connect it with SSO)
  2. Login to Web Client (https://vcenter.company.com:9443/vsphere-client/) using SSO admin account - admin@System-Domain
  3. On Administration page select Configuration menu under Sign-on and Discovery section
  4. Select the desired identity source (type - Active Directory), click Edit and write down (printscreen) all of the connection options
    Want to point out, that in my case, changing server URLs has no effect - no changes was saved after OK was pressed, so...
  5. Remove old identity source and add a new one, with the same parameters, but with new server URLs
  6. Done



Not important

To be honest - it was the most interesting issue for last couple of month. Mostly because any other issue I faced was already solved by someone else, so any problem was solved by following the obvious scenario: Problem -> logs - > google -> solution.

Now I have to switch on my imagination, because all solutions for "Authorize Exception" problem suggested to re-join to AD and/or fix AD/DNS problems. So we spent several hours fixing non-existing problems.

Well, we knew that Domain Controllers were changed, but we forgot completely about SSO, and nobody knew/remember that SSO uses it's own configuration (based on MIT kreberos) in order to bind to AD.

But even when the problem was located, I've spent next couple hours examining SSO logs and trying to find where AD discovery configuration can be changed. It's a pity, that it's not possible to configure by some CLI (at least I didn't find anything).

Hope this article helps. If so, I would appreciate if you consider to leave a comment.

27 comments:

  1. Hi Friend,

    Thanks for posting this article, but I install VCENTER using SIMPLE INSTALL and never had to input a password for admin@system-domain.
    Now, when I go to install VMware Web Client, I get the option to key-in the password and no matter what I type it doesn't work :(. SSO is definitely installed because when I chose the option to install it separately it says wizard will uninstall it. Not sure if I should be un-installing it??

    ReplyDelete
    Replies
    1. Have you tried with no (empty) password?

      Delete
  2. Thanks for this! I've been pulling my hair out on this one for about a week now. Now if only I had remembered the SSO admin password, thankfully the possible list was short and I didn't have to call vmware.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Thank you for your article !
    I've got a similar problem after install a new domain controller ...

    After your tip, it resolves the problem !

    ReplyDelete
  5. Hello

    Just a thanks for your article. I had tried the "official" method at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1015639 but it made no difference.

    Cheers.

    ReplyDelete
  6. Thank you guys!
    Appreciate your comments. It inspires me to share more.

    ReplyDelete
  7. Dude, thank you so much for spending the time to put up this post. However I am having an issue. I was able to install and log into the web client but when I look for the SSO/AD/LDAP configuration shown in your screenshot, my setup doesn't have it listed! What am I doing wrong? Here is a link to a screenshot of what I am seeing. Any help would be awesome

    http://www.screencast.com/t/JP1TrgZt

    ReplyDelete
    Replies
    1. Sign-on and Discovery Configuration is available only for the builtin account admin@System-Domain.
      Hope this helps.

      Delete
  8. Thank you for this! FWIW, editing the Identity Source was useless for me as well—I also had to purge the existing one and create a new one. That said, when creating a new one, clicking Test Connection always failed! The ONLY time Test Connection succeeded was after I clicked OK and the “re-Edited” the source.

    Cheers!

    ReplyDelete
  9. Same as Daniel. Tried to test it when making it and it failed.
    Saved anyway then edited and retested and it was ok.

    ReplyDelete
  10. Thanks so much! This really helped me with my issue, I kept trying to edit the identity source with no luck. Deleting and creating a new source fixed things for me!

    Thanks again

    ReplyDelete
  11. Just to mention, we had similar issue symptoms and tried this fix without success intiially.
    It turned out that the Domain Controller certificate had expired (organisation not yet implemented auto-enrollment). It could be worth checking with your domain administrator if you find that re-adding the identity fails with a bind error.

    ReplyDelete
    Replies
    1. I'm having this same issue with no longer being able to sign into vsphere using domain account. The DC certificates had expired which I have since replaced, however I still get the Authorize Exception error. Rejoining the server did not help, I don't have the web client installed, but thinking that is my next step to attempt to resolve this.

      Delete
  12. thanks!
    damn, followed alot of guidelines, but only this one works, nice man!

    ReplyDelete
  13. thanks!
    damn, followed alot of guidelines, but only this one works, nice man!

    ReplyDelete
  14. Legendry....really appreciate this

    ReplyDelete
  15. There are some command line tools for this in the VMWare\Infrastructure\SSOServer\utils directory. Check out the ssocli.cmd configure-riat -a discover-is -u AdminAccount for finding a new domain. If you get real adventurous, you can also do a manual add of a domain through this method.

    Unfortunately, that doesn't solve my issue. The "Configure" area doesn't show up in the Web Client and those tools don't work.

    ReplyDelete
  16. There are some command line tools for this in the VMWare\Infrastructure\SSOServer\utils directory. Check out the ssocli.cmd configure-riat -a discover-is -u AdminAccount for finding a new domain. If you get real adventurous, you can also do a manual add of a domain through this method.

    Unfortunately, that doesn't solve my issue. The "Configure" area doesn't show up in the Web Client and those tools don't work.

    ReplyDelete
  17. Awesome. You rock! This is exactly what I was looking for. Thanks a bunch.

    ReplyDelete
  18. Thanks so much, this resolved an authentication problem we ran into when migrating our root certificate authority as well.

    ReplyDelete
  19. Hi thank you so much, for his article, it helps me a lot

    ReplyDelete
  20. Very valuable information : Thank you! You solved my issue ;o)

    ReplyDelete
  21. Thank you very much for this information, it worked for me.
    VMware KB 1015639 should contain this information!
    Additionally, while trying to log in with the admin@system-domain account, I ran into another issue. After providing credentials, I received "Associated user's password is expired". This can be resolved, using VMware KB 2060150.

    Best Regards,

    Paul

    ReplyDelete