I want to share an issue to I ran into several times with vCloud Automation Center (vCAC) 6.x: vCAC tenants become inaccessible, the LDAP/AD connection seems to be unavailable/removed is Single Sign On (SSO).
The exact symptoms of this issue are:
- vCAC 6.x seems to be running fine for a couple of months, suddenly tenants become inaccesible;
- The LDAP/AD connection in the default tenant disappears and error message is reported by vCAC;
- You see error messages in the catalina.out log file similar to “Error occured looking for solution user :: Insufficient access“.
Although this issue and solution has been reported in VMware KB article 2075011, I suggest to take the steps stretched out in this article in advance: before the issue actually pops up! The cause of this issue is internal SSO Password expiry after the product is running for 90 days. Note: this is not the administrator@vsphere.local password expiring, is has to do with an internal account.
Prevent the internal SSO account from expiring
Depending on which SSO server you’re using (vCenter Appliance SSO, SSO in the vCAC identity server, SSO on Windows) take the necessary steps to prevent this problem from occurring. For the vCAC identity server the steps are:
(Replace tenant_name with the URL name of your tenant)
- Open an SSH connection to the vCAC Identity Server Appliance (so the SSO server, not the vCAC appliance).
- Reset the account control flag by running the command:
/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF dn: cn=tenantadmin,cn=users,dc=tenant_name changetype: modify replace: userAccountControl userAccountControl: 0 EOF
- Response: modifying entry “cn=administrator,cn=users,dc=tenant_name.”
Note: You will be prompted for the administrator@vsphere.local password when running this command. - Disable password expiration by running the command:
/opt/likewise/bin/ldapmodify -H ldap://localhost:389 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local changetype: modify add: member member: cn=tenantadmin,cn=users,dc=tenant_name EOF
- Response: modifying entry “cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
Note: You will be prompted for the administrator@vsphere.local password when running this command.
Type the command exactly as illustrated here, so there are a few ‘new lines’ in the command.
This will solve the AD connection problem, everything will work as expected after applying this solution. A solution for the other SSO servertypes is posted in the KB article.