Symptoms (as from KB)
- vCenter Server services are running, but a user that was previously able to log into vCenter Server no longer can
- A local admin account is able to log in, but domain users cannot
- You see this error:
A general system error occurred: Authorize Exception
Additionally
- Re-joining to domain don't help
- Your primary (and secondary) Domain Controllers which was used before were changed
- C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf contains wrong kdc entries.
NB: Don't try to edit this file. It's automatically generated.
Cause
- Single-Sign-On service uses old DC name(s) when binds to Active Directory
Resolution
- Install vSphere WebClient (don't forget that you should use admin@System-Domain username in order to connect it with SSO)
- Login to Web Client (https://vcenter.company.com:9443/vsphere-client/) using SSO admin account - admin@System-Domain
- On Administration page select Configuration menu under Sign-on and Discovery section
- Select the desired identity source (type - Active Directory), click Edit and write down (printscreen) all of the connection options
Want to point out, that in my case, changing server URLs has no effect - no changes was saved after OK was pressed, so... - Remove old identity source and add a new one, with the same parameters, but with new server URLs
- Done
Not important
To be honest - it was the most interesting issue for last couple of month. Mostly because any other issue I faced was already solved by someone else, so any problem was solved by following the obvious scenario: Problem -> logs - > google -> solution.Now I have to switch on my imagination, because all solutions for "Authorize Exception" problem suggested to re-join to AD and/or fix AD/DNS problems. So we spent several hours fixing non-existing problems.
Well, we knew that Domain Controllers were changed, but we forgot completely about SSO, and nobody knew/remember that SSO uses it's own configuration (based on MIT kreberos) in order to bind to AD.
But even when the problem was located, I've spent next couple hours examining SSO logs and trying to find where AD discovery configuration can be changed. It's a pity, that it's not possible to configure by some CLI (at least I didn't find anything).
Hope this article helps. If so, I would appreciate if you consider to leave a comment.
Hi Friend,
ReplyDeleteThanks for posting this article, but I install VCENTER using SIMPLE INSTALL and never had to input a password for admin@system-domain.
Now, when I go to install VMware Web Client, I get the option to key-in the password and no matter what I type it doesn't work :(. SSO is definitely installed because when I chose the option to install it separately it says wizard will uninstall it. Not sure if I should be un-installing it??
Have you tried with no (empty) password?
DeleteThanks for this! I've been pulling my hair out on this one for about a week now. Now if only I had remembered the SSO admin password, thankfully the possible list was short and I didn't have to call vmware.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThank you for your article !
ReplyDeleteI've got a similar problem after install a new domain controller ...
After your tip, it resolves the problem !
Hello
ReplyDeleteJust a thanks for your article. I had tried the "official" method at http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1015639 but it made no difference.
Cheers.
Thank you guys!
ReplyDeleteAppreciate your comments. It inspires me to share more.
Dude, thank you so much for spending the time to put up this post. However I am having an issue. I was able to install and log into the web client but when I look for the SSO/AD/LDAP configuration shown in your screenshot, my setup doesn't have it listed! What am I doing wrong? Here is a link to a screenshot of what I am seeing. Any help would be awesome
ReplyDeletehttp://www.screencast.com/t/JP1TrgZt
Sign-on and Discovery Configuration is available only for the builtin account admin@System-Domain.
DeleteHope this helps.
Thanks alot man, u r really helped :)
ReplyDeleteThank you for this! FWIW, editing the Identity Source was useless for me as well—I also had to purge the existing one and create a new one. That said, when creating a new one, clicking Test Connection always failed! The ONLY time Test Connection succeeded was after I clicked OK and the “re-Edited” the source.
ReplyDeleteCheers!
Same as Daniel. Tried to test it when making it and it failed.
ReplyDeleteSaved anyway then edited and retested and it was ok.
Thanks guys for this update!
Delete