VMware vRealize Automation 6.0.x tenants are inaccessible and identity stores disappear (2075011)
In vRealize Automation (formerly known as vCloud Automation Center) 6.0.x, 90 days after deployment of a template you experience issues similar to:
When attempting to log in to tenant, a blank page is displayed with a Submit button in the upper left corner.
You receive a System Exception error when accessing the tenant identity store configuration page and the identity store configuration has disappeared.
Cannot log in to a tenant using an LDAP account.
Unable to add a new identity store configuration to the affected tenant.
The tenant identity store disappears from the SSO Administrator login.
In thecatalina.outlogfile, located at/var/log/vmware/vcac/, you see entries similar to:
12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access YYYY-03-18 12:40:49,201 [tomcat-http--34] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedException:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access com.vmware.vim.sso.client.exception.InternalError: Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access
In themessages.logfile on the Identity Appliance, located at/var/log/, you see entries similar to:
T16:50:18-05:00 lsassd: GSSAPI Error: The referenced context has expired (Unknown error) T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired. (cn=tenantadmin,cn=users,dc=tenant) T11:58:03-06:00 lsassd: GSSAPI Error: The referenced context has expired (Unknown error) .....
Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to fail. YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN (cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)
This issue occurs due to expiry of password after 90 days.
By default, the SSO internal tenant admin password expires in 90 days. This password expiration value can be changed or password expiration disabled. After the password expires, the authentication server cannot log in with the old password.
Note: This issue is internal to vRealize related SSO authentication and does not affect external OpenLDAP, Active Directory, or other LDAP configurations.
The current workflow User Interface does not provide any notification when the password is to expire.
Note: This issue can persist if an in-place upgrade is done from vRealize Automation (formerly known as vCloud Automation Center) 6.0 to vRealize Automation 6.1. If this is the case, re-apply the workaround mentioned below.
To work around this issue, disable password expiration for the tenant admin account.
Note: If you are not sure about performing the steps below, file a support request with VMware Technical Support and note this Knowledge Base article ID (2075011) in the problem description. For more information on filing a Support Request, seeFiling a Support Request in My VMware (2006985).
VMware vRealize Automation (formerly known as vCloud Automation Center) using vCenter Single Sign-On (SSO) for tenant authentication
If VMware vRealize Automation is using vCenter Single Sign-On (SSO) for tenant authentication, perform these steps to disable password expiration:
Note: Replacetenant_namewith the URL name of your tenant.
Open an SSH connection to vCenter Server.
Disable password expiration by running this command:
When prompted, enter the password forAdministrator@vsphere.local.
Current work around resets theuserAccountControlflag and also modifies the values that determine the length of time for the SSO tenant admin account password to expire. The workaround sets that internal service account password to never expire.
To be alerted when this article is updated, clickSubscribe to Documentin the Actions box.