Sponsors

Friday, 10 March 2017

Infrastructure admin account unable to access infrastructure tab "error: 401 – Unauthorized"

In my previous post "Tenant page never loads in vRA 6.x when logged in with administrator@vsphere.local", I tried to demonstrate the issue that can occur due to mismatch in Certificate common name and vRA appliance hostname. To fix the issue, I had regenerated the certificate with correct common name.

However later I noticed the below issue, when tried to configure endpoints as Infrastructure admin.



I was not able to access any options under Infrastructure Tab, though i logged in with infrastructure admin. For each option clicked, I was getting 401 - Unauthorized: Access Denied as in screenshot above.

I verified all the required permissions, services and all of it was correct.

However, I remembered the configuration that I did to fix the tenant page loading issue from the post mentioned i.e. Tenant page never loads in vRA 6.x when logged in with administrator@vsphere.local. I had regenerated the certificate with corrected common name to match hostname and that breaks the trust with other components.

When you replace a certificate for a vRealize Automation component, components that have a dependency on this certificate are affected. You must register the new certificate with these components to ensure certificate trust.

You should update components in the following order:
  1. Identity Appliance 
  2. vRealize Appliance 
  3. IaaS components 
Generally changes made to later components in this list do not affect earlier ones. For example, if you import a new certificate to a vRealize Appliance, you must register this change with the IaaS server, but not with the Identity Appliance.

However, there is one exception is that an updated certificate for IaaS components must be registered with vRealize Appliance.

The following table shows registration requirements when you update a certificate.
Image: VMware

For more details and certificate supportability, requirements and troubleshooting, check VMware KB 2106583

Solution:
To fix this issue, foollow the steps below. You need to perform these steps on the IAAS server

  • Navigate to  C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe

  • To update the vRA certificate for the IAAS server run below command:
vcac-config.exe UpdateServerCertificates -d <vCAC Database name> -s <servername> –v



  • On command prompt, run IISReset command in order to restart the web services for changes to take effect.
  • Verify that you can access infrastructure tab now.


Hope this helps!!!!!!





Thursday, 9 March 2017

Error 'Unable to authenticate user. Please try again' when logging to vRA 6.x/7.x VAMI page

Symptoms:
  • Logging in to the VMware Appliance Management website fails with error message as "Unable to authenticate user. Please try again"



  • You can successfully log in to the console of the appliance using the same root account with the same password.


Cuase:

This issue occurs when the root password expires. The appliance root account password expiration is defined to be 365 days. If the password is not changed before this time passes the root user cannot log in to the Appliance management console. 

Resolution:

  • Log in to the appliance using your root account.


  • You can reset the password by running the command: passwd root



  • This will reset the root password for another 365 days. 

  • Alternatively, if you do not wish to change password, you can extend the root password expiry date by running this command:


  • To check the password settings, run this command: chage -l



  • In this example, I changed "Maximum Password Age" to 99999. Rest all values are defaults. However, ensure that you verify with internal policies of your organisation prior to applying this setting.

  • Once the required change is done, you can verify the access is restored.



I hope this helps!!!!!

Wednesday, 8 March 2017

Tenant page never loads in vRA 6.x when logged in with administrator@vsphere.local

When I was trying to configure vRA 6.x during initial setup, I came across this issue. Below is the screenshot of the same.



As you can see in above screenshot, vRA 6.x portal is loaded fine, however the tenant page is stuck in loading state. Even the default tenant is also not visible. If you try to click on any other option, you may get error message like one I had as below.


In the vRealize Automation /var/log/vmware/vcac/catalina.out log file, you see entries similar to:


TypeError: Cannot read property 'gadgets' of undefined

The Host settings tab in the VMware vRealize Automation Appliance webpage reports the warning message: (as in image below).

Warning! Certificate's Common Name doesn't match vCloud Automation Center Server host name.


CauseThis issue occurs due to a mismatch between the VMware vRealize Automation Host Settings (hostname) and the SSL Certificate assigned to the VMware vRealize Automation Appliance.

As you can see in above screenshot of host settings tab, my hostname of vRA is vcac01.vclass.local, however, the common name for SSL is just vclass.local. 

Solution:
  • Update the VMware vRealize Automation SSL Certificate so that it matches the Host name and verify that no errors are reported in the SSL tab.
  • Go to SSO tab, re-enter the administrator credentials and click Save Settings.
  • After the SSO is registered, wait for 10-20 minutes for the services to register
Once all the corrections done, all started working fine for me as in screenshot below.



For additional troubleshooting details, do refer VMware KB2079381.

Popular Posts This Week