Last week, one of our datacenters needed maintenance
which required all systems to be powered off. Once the maintenance was
completed, we began powering up the storage arrays, SQL servers and the
physical Domain Controllers. The physical
vCenter server was then powered on and the vCenter Server Service and SSO services proceeded to start successfully . However, upon attempting to log into vCenter using my AD account , I
received the following error:
Using the web client, ( https://vCenterServer:9443/vsphere-client/) I
logged in using the admin@System-Domain account. I took a look at the Single Sign On (SSO) config and noticed
that both Domain Controllers associated with our Active Directory Identity Source were virtual, and neither were powered on. The error was caused by SSO being unable to connect to one of the Domain Controllers listed in the config.
You can also see which servers are used with the Identity Source by looking at the following file on the SSO server.
C:\Program
Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf
To resolve the issue, I disabled Lockdown Mode on the ESXi servers hosting the virtual DCs using the Dell Drac. I then pointed the vSphere Client directly to the ESXi host to power on the DCs. After confirming both DCs were up, I restarted the vCenter server. I was then able to successfully log in using my domain acoount.
To prevent this from occurring in the future, I added a physical DC as an Identity Source.
No comments:
Post a Comment