Tag Archives: Single Sign On

The authentication server returned an unexpected error

Posted on March 12, 2014 | Leave a comment

I came in this morning only to be greeted by my web client telling me that I can’t login because it can’t create SAML 2.0. I am not sure that I really want it creating SAML 2.0….I don’t know SAML 1.0. Ok, bad joke. Here was the message…

I found KB2034798 at which point I remoted into my SSO server and checked the imsTrace.log for “NetUserGetLocalGroups”. I didn’t find it…so the KB didn’t apply to me…L

After some more googling I found this blog post that indicated that references KB2043070. The idea is that there is a local identity source within SSO that it is trying to authenticate the users to. You have to login with the admin@system-domain account and password. Hopefully you saved this when setting up your SSO server. The only problem I had was that I didn’t have this local identity source to remove.

I thought to myself, that there might be a stale identity source on the list that it is authenticating to. I was talking to a coworker and they mentioned that there was a domain that was deleted the day before. AHAH!! I clicked on the identity source of the domain that had been removed and then clicked “Test Connection”. There was an error that didn’t tell me much.

3-12-2014 2-42-32 PMI cancelled out and was back at my list of identity sources. I selected the identity source that had been removed from AD and I hit the red X, “Delete Identity Source”. You will get a prompt asking for you to confirm. One thing to note is that the identity source that I deleted was not one of the default domains at the bottom. If you haven’t set a default domain up, I would do that now. I am wondering if there might be a bug that uses the identity source at the top of the list instead of the default at the bottom. After deleting the state Identity Source I was able to login again.


Leave a comment

Posted in Single Sign On, VMware Vcenter Server, VMware Vsphere 5

Tagged , , ,

Part 2 — vCenter 5.1 U1 — Creating and installing SSL certs for SSO.

Posted on June 17, 2013 | 1 comment

Installing Certificates with the VMware SSL Certificate Automation Tool

  1. From and administrative prompt run c:\vmwarecerttool\ssl-environment.bat.  This is important because it sets the variables that we edited early on.
    sslenvironment
  2. Next run c:\vmwarecerttool\ssl-updater.bat
    Step2
  3. At this point backup all VMware Databases (VCDB, RSA, and VCU).  Also take a VMware snapshot of the three VMware VMs.
  4. Select Option 1 and then Option 8.  Print out the Detailed Plan.
    Detailedplan
  5. Press 9 to go back to the main menu and then choose option 3, “Update Single Sign-on”.  Say a huge prayer and then press 1 to “Update the Single Sign-on SSL Certificate.  You will be prompted for the Single Sign-on master password.  Did you remember to write down your single sign-on master password?  You will need this many times during this install.
    Step1

    Hopefully it was successful…
    successfulmessage
  6. Switch to the vCenter Inventory Service Server.  From an administrative prompt run c:\vmwarecerttool\ssl-environment.bat and then c:\vmwarecerttool\ssl-updater.bat.  Select Option 4 “Update Inventory Service” and then option 1 “Update the Inventory Service Trust to Single Sign-On.
    Step3
  7. Select option 3, “Update the Inventory Service SSL Certificate”.  You will be prompted for the SSO admin password.
    Step4
  8. Login to the vCenter Server.  From an administrative prompt run c:\vmwarecerttool\ssl-environment.bat and then run c:\vmwarecerttool\ssl-updater.bat.  Choose option 5, “Update vCenter Server” and then option 1, “Update the vCenter Server Trust to Single Sign-On”.
    Step5
  9. Make sure that you created an administrator account within vCenter to use for this install.  This will be needed for the next step!
  10. Select option 2, “Update the vCenter Server SSL Certificate”.  You will need the passwords for your vcenter administrator, SSO admin, and the vCenter system database password.
    Step6
  11. Next, select option 3, “Update the vCenter Server Trust to the Inventory Service”.
    Step7
  12. Go back to the Inventory Service Server and choose option 2, “Update the Inventory Service Trust to vCenter Server”.
    Step8

  13. Switch again to the vCenter Server and select option 5 to get to the main menu, and then option 6, “Update vCenter Orchestrator (vCO)”.  Select option 1, “Update the vCenter Orchestrator Trust to Single Sign-On”.
    Step9
  14. Select option 2, “Update the vCenter Orchestrator Trust to Single Sign-On”.
    Step10
  15. Select option 3, “Update the vCenter Orchestrator (vCO) SSL Certificate”.
    Step11
  16. Select option 5 to go back to the main menu.  Select option 7, “Update vSphere Web Client and Log Browser”.  Now select option 1, “Update the Web Client Trust to Single Sign-On”.  You will be prompted for the SSO admin password.
    Step12
  17. Now choose option 2, “Update the Web Client Trust to Inventory Service”.
    Step13
  18. Continue with option 3, “Update the Web Client Trust to vCenter Server”.
    Step14
  19. Next choose option 4, “Update the Web Client SSL Certificate”.  You will be prompted for the SSO admin password.
    Step15
  20. Continue by selecting option 5, “Update the Log Browser Trust to Single Sign-On”.  This will ask you for the SSO admin password.
    Step16

The last item for the certification tool is to choose option 6, “Update the Log Browser SSL Certificate”.  This will ask you for the SSO admin password.

Updating VUM SSL Certificate

  1. Backup all the files in the directory below.  Copy the rui.key, rui.crt, and rui.pfx files from the c:\certs\vum directory to c:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
  2. Stop the VMware vSphere Update Manager Service.
    Step18
  3. In the C:\Program Files (x86)\VMware\Infrastructure\Update Manager directory launch the VMwareUpdateManagerUtility.exe application.
  4. Login to the vCenter server using proper credentials.
    Step19
  5. Click on the SSL Certificate option on the left side then check the box on the right side and click Apply.
    Step21
  6. If all goes well you should see the window below.  Restart the service as directed.
    Step22Go Back to Part 1
    https://favoritevmguy.wordpress.com/2013/06/17/part-1-vcenter-5-1-u1-creating-and-installing-ssl-certs-for-sso/

 

1 Comment

Posted in Single Sign On, VMware Vcenter Server, VMware Vsphere 5

Tagged , , , , ,