VxRail: vCenter Identity Source (IWA) Will Need to be Reconfigured After VxRail Major Version Upgrades 4.5.x to 4.7.x/4.7.x to 7.0.x

In 4.7.x PSC, the following error messages are seen in /var/log/vmware/sso/vmware-identity-sts.log shows that authentication to the AD server was rejected for XXXXXXX@abc.net.

vmware-identity-sts.log

[2020-01-23T01:33:24.427Z tomcat-http-
-4 vsphere.local        d2739667-060b-4136-a49d-a0c490735ced INFO  com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [aduser@EXAMPLE] in tenant [vsphere.local] in [32] milliseconds with provider [sample.ad-domain.example] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]
[2020-01-23T01:33:24.427Z tomcat-http--4 vsphere.local        d2739667-060b-4136-a49d-a0c490735ced ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginExcep
tion: <b>Native platform error [code: 851968]</b>[null][null]&#39;
com.vmware.identity.idm.IDMLoginException: <b>Native platform error [code: 851968][null][null

In 7.0.x vCenter, the following error messages are seen in /var/log/vmware/sso/vmware-identity-sts.log shows that authentication to the AD server was rejected for XXXXXXX@abc.net.

2022-10-06T22:09:34.482Z ERROR sts[56:tomcat-http--17] [CorId=645b7c2d-0172-4acd-943b-55e7c6df2bb3] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [XXXXXXX@abc.net] for tenant [vsphere.local]com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 851968][null][null]

2022-10-06T22:09:34.552Z INFO sts[56:tomcat-http--17] [CorId=645b7c2d-0172-4acd-943b-55e7c6df2bb3] [com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [XXXXXXX@abc.net]] in tenant [vsphere.local] in [342] milliseconds with provider [abc.net] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]

2022-10-06T22:09:34.603Z INFO sts[56:tomcat-http--17] [CorId=645b7c2d-0172-4acd-943b-55e7c6df2bb3] [com.vmware.identity.sts.InvalidCredentialsException] Censored exception
com.vmware.identity.sts.InvalidCredentialsException: IDM rejected authentication by UPN
  
2022-10-06T22:09:44.314Z INFO sts[76:tomcat-http--37] [CorId=e9bcf96e-efd2-4350-8341-6f76c5e509e8] [com.vmware.identity.sts.ws.SOAPFaultHandler] Returning a SOAP Fault with code: ns0:FailedAuthentication and description: Invalid credentials
 
2022-10-06T22:09:45.150Z INFO sts[77:tomcat-http--38] [CorId=c06d54a0-40b3-4bf1-b80d-6c33b48b5101] [com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Securityheaders
 
2022-10-06T22:09:45.151Z INFO sts[77:tomcat-http--38] [CorId=c06d54a0-40b3-4bf1-b80d-6c33b48b5101] [com.vmware.identity.sts.impl.STSImpl] Entering issue() token...
 
2022-10-06T22:09:45.151Z WARN sts[77:tomcat-http--38] [CorId=c06d54a0-40b3-4bf1-b80d-6c33b48b5101] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirectoryProvider can function properly only when machine is properly joined
 
2022-10-06T22:09:45.152Z INFO sts[77:tomcat-http--38] [CorId=c06d54a0-40b3-4bf1-b80d-6c33b48b5101] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] Failed to retrieve default UPN for principal XXXXXXX@abc.net]
com.vmware.identity.idm.InvalidPrincipalException: Principal id XXXXXXX@abc.net]  does not exist

Caused by: com.vmware.identity.interop.accountmanager.AccountManagerNativeException: Native platform error [code: 40008][LW_ERROR_NO_SUCH_USER][No such user]

This behavior is expected when upgrading between major vCenter versions.


VMware vSphere 7.0 Release Notes
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html

"After upgrading or migrating a vCenter Server with an external Platform Services Controller, if the newly upgraded vCenter Server is not joined to an Active Directory domain, users authenticating using Active Directory will lose access to the vCenter Server instance."

Customer should plan for a service interruption during the deployment/migration of settings for the new vCenter/PSC, and the Identity Source must be configured once the new vCenter/PSC is fully functional.

The example below is a Major upgrade between 4.7.x and 7.0.x post successful vCenter upgrade. The identity Source is no longer present, and the vCenter is not joined to the Active Directory Domain.

The customer must reconfigure their Identity Source and the configuration change DOES REQUIRE a reboot of the PSC/vCenter to take effect.

VxRail 4.7.x using Internal VCSA, only PSC must rejoin.
Please follow the instructions in https://support.emc.com/docu91266_Joining-VxRail-Supplied-vCSA-and-PSC-to-Active-Directory-Tech-Note.pdf

VxRail 7.0.x Using internal VCSA 

vCenter Upgrade Guide - Adding Identity Source

vCenter Server Upgrade - VMware vSphere 7.0 or Add or Edit a vCenter Single Sign-On Identity Source (vmware.com)

VxRail 8.0.x Using internal VCSA Coming soon….

IMPORTANT

Note: A future update to Microsoft Windows changes the default behavior of Active Directory to require strong authentication and encryption. This change impacts how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more information about this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html .

Other reference:    
VMware document "Unable to Log In Using Active Directory Domain Authentication"
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-8C553435-27CD-4410-ACA9-9A84EA1D7334.html

VMware document "Supported AD function level matrix for vSphere"
https://kb.vmware.com/s/article/2071592

This content is available in 15 languages: