VMware vsphere FAQ Rollup (18)

. Active Directory will not be found as an identity source if Vcenter Server Appliance is joined to an Active Directory domain before vcenter Single sign on is started (5.1)

This issue may occur when the VCenter Server Appliance is joined to an Active Directory domain during the initial configuration process through the Web Interface Configuration Wizard. After configuration, the associated vcenter Server and vcenter Single sign on services may run correctly, but Active Directory will not be found as an identity source.

Workaround :

Perform one of the following actions.

Restart the VCenter Server Appliance.

Restart VCenter Single Sign on, and then restart the VSphere Web Client service.

181. an unauthorized access error (5.1) is displayed when you click [Log Browser] in the VSphere Web Client

When you click [Log Browser] in the vsphere Web Client, an error message appears: Exception: Https://<system-address>:12443/vmwb/logbrowser: Unauthorized access (Exception: https://<system-address>:12443/vmwb/logbrowser:Unauthorized access). This error occurs after you directly replace the SSL certificate for the default VCenter single sign on server, or after you replace the certificate in Vcenter server Appliance.

Workaround:

1. Log on as single to the VSphere Web Client as the administrator.

2. Navigate to [System Management] > [Login and Discovery] > [Configuration] and click on the STS Certificate tab.

3. Click Edit.

4. Select Single Sign on SSL KeyStore.

If single sign is running on a Windows system, select the following file:

C:\Program Files\vmware\infrastructure\ssoserver\security\server-identity.jks (default path)

If you are running on Linux (VCenter Server Appliance), select the following file:

/usr/lib/vmware-sso/security/server.jks (default path)

5. Use a text editor or browser to open the single sign on Server.xml file. On Windows:

C:\Program files\vmware\infrastructure\ssoserver\conf\server.xml (default path)

On Linux:

/usr/lib/vmware-sso/conf/server.xml (default path)

6. Search for keystorepass= "..." on the Connector element. The string in quotation marks is your password.

7. Enter the password in the VSphere Web Client when prompted.

8. Select only the displayed chain.

9. Click [OK] and enter the password again.

10. Restart the following services: VSphere Web Client, vcenter Server, vcenter Inventory service, and VMware Log Browser. There is no need to restart single sign on.

182. VCenter authentication fails when a system (System-domain) user tries to log on to the VSphere Web Client (5.1)

The default password policy for the VCenter user on the system specifies that the password expires after 365 days. However, when the user's password is about to expire, VCenter Single sign on does not issue a warning.

Workaround:vCenter The Admin user can change the expired password for system-domain users. Ask the administrator to reset your password. If you are an on admin user, use the Ssopass command-line tool to reset the password.

On Windows:

1. Open the terminal window and navigate to C:\Program FILES\VMWARE\INFRASTRUCTURE\SSOSERVER\SSOLSCLI

2. Run the following command.

Ssopass <username>

3. Enter the user's current password, even if the password has expired.

4. Enter the new password, and then enter it again to confirm.

On Linux (VCenter Server Appliance):

1. Open the terminal window and navigate to/usr/lib/vmware-sso/bin.

2. Run the following command.

./ssopass <username>

3. Enter the user's current password, even if the password has expired.

4. Enter the new password, and then enter it again to confirm.

183. failed to customize Windows virtual machine during cloning or deployment (5.1)

Client customization for Windows 2008, Windows R2, or Windows 7 virtual machines fails in VCenter Server and displays an error: Windows Settings encountered an internal error while loading or searching for an unattended answer file (Windows S Etup encountered an internal error when loading or searching for an unattended answer file). This issue occurs because in any of the following fields, the custom specification contains any of the following characters &, >, <, or ': computer name, registered owner name, or registered organization name.

Workaround:

Do not use special characters for any of these fields.

184. Hardware Status page is not visible through client view of the WIN2003 system (5.1)

See 193

Fault status

In an ESXI 5.1 environment, using the Windows 2003 operating system, viewing in Vclient, the performance panel page cannot be displayed, the Hardware status page is not visible, and after you enter the Vcenter address in Internet Explorer, the page cannot be displayed. However, the Win7, Windows 2008 operating system is normal.

Fault analysis

To resolve the issue in Windows XP 64bit and Windows 2003, you must add these cipher suites:

Tls_rsa_with_aes_128_cbc_sha Aes128-sha

Tls_rsa_with_aes_256_cbc_sha Aes256-sha

For more information, see the Microsoft Knowledge Base article Http://support.microsoft.com/kb/948963.However, this Micro Soft hotfix does not apply to Windows XP 32bit.

To work around the issue in Windows XP 32bit:

Caution:vmware does not recommend or support this workaround. Use this at your own risk.

In the VCenter Server machine, goto%program_files%\vmware\infrastructure\tomcat\conf.

Open the Server.xml file using a text editor.

Locate This XML element:

<connector port= "8443" ...></connector>

Modify the ciphers attribute similar to:

Ciphers= "Ssl_rsa_with_rc4_128_md5,ssl_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_dhe_rsa_with_aes_ 128_cbc_sha,tls_dhe_dss_with_aes_128_cbc_sha,ssl_rsa_with_3des_ede_cbc_sha,ssl_dhe_rsa_with_3des_ede_cbc_sha, Ssl_dhe_dss_with_3des_ede_cbc_sha "

Workaround

Microsoft Web site Download Patch: (http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351382_CHS_i386_zip.exe)

Restart the window2003 after installation and restart the Vcenter service.

185. Server fails to open after vCenter5.1 server restarts (5.1)

The newly released Vmwarevsphere5.1,vcenter adds a role called SSO, referred to as single sign-on, and all other services, such as Vcenter Server\Web Client\update Manager, need to be connected to the SSO role, So installing Vmwarevspere VCenter 5.1, SSO must be installed, and it is the first installed role. Otherwise, the other roles will not install properly.

However, the current vsphere SSO is not very stable, and when you restart the SSO server, you will see that the SSO service is working, but the vcenter service is not up. In the official KB library, the following are some of the scenarios in which VCenter 5.1 failed to start after an SSO restart, as follows:

1. the host name of the SSO server is changed to include the host joining the domain or exiting the domain.

When updates were applied to the OperatingSystem, the machine name changes, or the machine was added or removed from Anactiv e Directory domain. These changes prevent the SSO server from Startingand, as a result, VCenter server does not start.

2. changes in the hardware configuration of the SSO server, such as memory size, number of CPUs, MAC address, etc.

If you clone or change the parameters of Avirtual machine where SSO is installed (such as the amount of RAM), the Numberof CPUs, the MAC address, and SSO fails to start.

The following error log is seen on the Vpxd.log log on the VMware VCenter 5.1 server:

012-09-24t22:18:46.534-04:00[04584 info ' authvpxdmosessionmanager '] [sso][sessionmanagermo::init]downloading STS Root certificates ...

2012-09-24t22:18:46.534-04:00 [04584 verbose ' [Sso][ssocertificatemanagerimpl] ' [Initconfigmanagementservice]

2012-09-24t22:18:46.534-04:00 [04584 verbose ' [Sso][ssocertificatemanagerimpl] ' [createadminssoservicecontent] Connectingto SSO Admin Server ...

2012-09-24t22:18:46.534-04:00 [04584 trivia ' vmomi.soapstub[0] '] sending SOAP request to []: retrieveservicecontent {}

2012-09-24t22:18:46.534-04:00 [04584 trivia ' HttpConnectionPool-000001 '] [Incconnectioncount] number of connections to Incrementedto 1

2012-09-24t22:18:46.534-04:00 [04584 trivia ' HttpConnectionPool-000001 '] [poppendingconnection] Found pending Connection to

2012-09-24t22:18:46.534-04:00 [04584 trivia ' vmomi.soapstub[0] '] Request started [Classvmacore::http::useragentimpl: : Asyncsendrequesthelper:000000000df7fa68]

2012-09-24t22:18:46.534-04:00 [04280 trivia ' Default '] SSLStreamImpl:oClientHandshake:verifyPeerName ( vchostname.test.vmware.net), Peercertdigest (), unverifiedaction (fail)

2012-09-24t22:18:46.549-04:00 [06108 info ' Default '] Thread attached

2012-09-24t22:18:46.627-04:00 [04280 trivia ' vmomi.soapstub[0] '] Request completed [classvmacore::http:: Useragentimpl::asyncsendrequesthelper:000000000df7fa68]

2012-09-24t22:18:46.627-04:00 [04584 trivia ' HttpConnectionPool-000001 '] [Decconnectioncount] number of connections to Decrementedto 0

2012-09-24t22:18:46.627-04:00 [04584 error ' Vpxdvpxdmain '] [vpxd::serverapp::init] Init failed:unexpected exception

--BackTrace:

--backtrace[00] RIP 000000018018977a

--backtrace[01] RIP 0000000180100c98

--backtrace[02] RIP 0000000180101fae

--backtrace[03] RIP 000000018008aeab

--backtrace[04] RIP 0000000000564971

--backtrace[05] RIP 0000000000501298

--backtrace[06] RIP 00000000005016c9

--backtrace[07] RIP 0000000000470fae

--backtrace[08] RIP 0000000140d7bfb8

--backtrace[09] RIP 000000013fc70078

--backtrace[10] RIP 000000013fc7016a

--backtrace[11] RIP 000000013fc70279

--backtrace[12] RIP 000000013fc70609

--backtrace[13] RIP 000000013ffb2903

--backtrace[14] RIP 000000014075e4b9

--backtrace[15] RIP 000000014075835c

--backtrace[16] RIP 0000000140978a3b

--backtrace[17] RIP 000007feff4fa82d

--backtrace[18] RIP 000000007750652d

--backtrace[19] RIP 000000007788c521

-

2012-09-24t22:18:46.627-04:00 [04584 trivia ' vpxprofiler '] ctr:totaltime = 13353 ms

The following error can be seen in the C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils\logs\discover-is.log log of the SSO server:

2012-09-2423:40:49,962-vchostname.test.vmware.net,,,, executing action: ' Discover-is '

2012-09-24 23:40:49,962-vchostname.test.vmware.net,,,, discoveringidentity sources

2012-09-24 23:40:50,942-vchostname.test.vmware.net,,,, Error:bean (primarycommandtarget) initialization failure

Com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException:System was modified beyond the allowed Threshold, cannot decrypt.

Com.rsa.common.SystemException:Bean (Primarycommandtarget) initializationfailure

Com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException:System was modified beyond the allowed Threshold, cannot decrypt.

caused By:com.rsa.ims.components.ComponentFailureException:Unable to Loadbean named Primarycommandtarget

Note:you can run this command to see Iferror messages is still present in the Discover-is.log:

C:\programfiles\vmware\infrastructure\ssoserver\utils>ssocli.cmd Configure-riat-adiscover-is-u Admin-p

Workaround:

Log in to the SSO server, run cmd (admin), and switch to the following directory:

C:\ProgramFiles\VMware\Infrastructure\SSOServer\Utils

Run the following command:

Rsautil manage-secrets-a recover-m Masterpassword

Masterpassword Replace with password for [email protected] Account

Then restart the SSO service

Finally, restart the Vcenter service.

VMware vsphere FAQ Rollup (18)