wir hatten heute ein erhebliches Problem mit unseren Domänencontrollern. Zum einen war für LDAPs ein falsches Zertifikat einer nicht mehr vorhanden Enterprise CA ausgestellt und zum anderen stand in der SSO Identitäts Quelle ein alter DC, welcher ersetzt wurde.
Nachdem ich das LDAPs Zertifikat auf beiden Domänencontrollern ersetzt habe (per ldp.exe kann ich mich auch vom vCenter Server aus per LDAPs Verbinden) habe ich mir die Identitätsquellen angesehen. Hier stand als primäre Quelle ein alter DC (von vor 3 Monaten drin)
Ich habe dann direkt in der SQL Datenbank die in der IMS Config Tabelle die Server angepasst und den ganzen Server neugestartet.
Der Single Sign On Service startet, aber das vCenter nicht.
Im vCenter Log (vpxd.log finde ich folgende Einträge):
Code: Alles auswählen
2014-01-27T10:59:06.401+01:00 [04628 warning 'Default'] Warning, existence of user "INTERN\benutzer" unknown, permission may not be effective until it is resolved.
2014-01-27T10:59:06.401+01:00 [04628 error 'Default'] The user account "INTERN\benutzer" could not be successfully resolved. Check network connectivity to domain controllers and domain membership. Users may not be able to log in until connectivity is restored.
2014-01-27T10:59:06.401+01:00 [04628 info '[SSO]'] [UserDirectorySso] GetUserInfo(INTERN\benutzer, false)
Und im SingleSignOn imsTrace. log finde ich folgendes:
Code: Alles auswählen
2014-01-27 15:15:45,402, [castle-exec-5], (PrincipalAccessSQL.java:1683), trace.com.rsa.ims.admin.dal.sql.PrincipalAccessSQL, DEBUG, SKVCENTER.intern.net,,,,SELECT IMS_PRINCIPAL.ID,IMS_PRINCIPAL.CERT_DN,IMS_PRINCIPAL.EMAIL,IMS_PRINCIPAL.FIRST_NAME,IMS_PRINCIPAL.MIDDLE_NAME,IMS_PRINCIPAL.LAST_NAME,IMS_PRINCIPAL.LOGINUID,IMS_PRINCIPAL.PASSWORD,IMS_PRINCIPAL.PRINCIPAL_IS_DESCRIPTION, IMS_PRINCIPAL_DATA.ID,IMS_PRINCIPAL_DATA.ROW_VERSION,IMS_PRINCIPAL_DATA.LAST_UPDATED_BY,IMS_PRINCIPAL_DATA.LAST_UPDATED_ON,IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID,IMS_PRINCIPAL_DATA.IDENTITY_SRC_KEY,IMS_PRINCIPAL_DATA.OWNER_ID,IMS_PRINCIPAL_DATA.START_DATE,IMS_PRINCIPAL_DATA.EXPIRATION_DATE,IMS_PRINCIPAL_DATA.REGISTRATION_FLAG,IMS_PRINCIPAL_DATA.LOGINUID,IMS_PRINCIPAL_DATA.LOGIN_DATE,IMS_PRINCIPAL_DATA.ENABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATOR_FLAG,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_COUNT,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_DATE,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_COUNT,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_DATE,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_FLAG,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_DATE,IMS_PRINCIPAL_DATA.LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.EMERGENCY_LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_EMERGENCY_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.NOTES,IMS_PRINCIPAL_DATA.AUTHENTICATOR_BIT_FLAGS,IMS_PRINCIPAL_DATA.ADMINISTRATOR_FLAG,IMS_PRINCIPAL_DATA.EXUID,IMS_PRINCIPAL_DATA.SECURITY_QUES_ANSWERS,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_AUTHN,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_REG,IMS_PRINCIPAL_DATA.SECURITY_QUES_LANGUAGE,IMS_PRINCIPAL_DATA.SECURITY_QUES_COUNTRY,IMS_PRINCIPAL_DATA.SECURITY_QUES_VARIANT,IMS_PRINCIPAL_DATA.SECURITY_QUES_RESET,IMS_PRINCIPAL_DATA.FIRST_RBA_AUTH_DATE,IMS_PRINCIPAL_DATA.LAST_USED_SECONDARY_AUTH FROM IMS_PRINCIPAL, (SELECT IMS_PRINCIPAL_DATA.ID,IMS_PRINCIPAL_DATA.ROW_VERSION,IMS_PRINCIPAL_DATA.LAST_UPDATED_BY,IMS_PRINCIPAL_DATA.LAST_UPDATED_ON,IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID,IMS_PRINCIPAL_DATA.IDENTITY_SRC_KEY,IMS_PRINCIPAL_DATA.OWNER_ID,IMS_PRINCIPAL_DATA.START_DATE,IMS_PRINCIPAL_DATA.EXPIRATION_DATE,IMS_PRINCIPAL_DATA.REGISTRATION_FLAG,IMS_PRINCIPAL_DATA.LOGINUID,IMS_PRINCIPAL_LOGIN_DATE.LOGIN_DATE,IMS_PRINCIPAL_DATA.ENABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATABLE_FLAG,IMS_PRINCIPAL_DATA.IMPERSONATOR_FLAG,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_COUNT,IMS_PRINCIPAL_DATA.FAIL_PASSWORD_DATE,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_COUNT,IMS_PRINCIPAL_DATA.FAIL_EMERGENCY_DATE,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_FLAG,IMS_PRINCIPAL_DATA.CHANGE_PASSWORD_DATE,IMS_PRINCIPAL_DATA.LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.EMERGENCY_LOCKOUT_FLAG,IMS_PRINCIPAL_DATA.EXPIRE_EMERGENCY_LOCKOUT_DATE,IMS_PRINCIPAL_DATA.NOTES,IMS_PRINCIPAL_DATA.AUTHENTICATOR_BIT_FLAGS,IMS_PRINCIPAL_DATA.ADMINISTRATOR_FLAG,IMS_PRINCIPAL_DATA.EXUID,IMS_PRINCIPAL_DATA.SECURITY_QUES_ANSWERS,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_AUTHN,IMS_PRINCIPAL_DATA.SECURITY_QUES_REQUIRED_REG,IMS_PRINCIPAL_DATA.SECURITY_QUES_LANGUAGE,IMS_PRINCIPAL_DATA.SECURITY_QUES_COUNTRY,IMS_PRINCIPAL_DATA.SECURITY_QUES_VARIANT,IMS_PRINCIPAL_DATA.SECURITY_QUES_RESET,IMS_PRINCIPAL_DATA.FIRST_RBA_AUTH_DATE,IMS_PRINCIPAL_DATA.LAST_USED_SECONDARY_AUTH FROM IMS_PRINCIPAL_DATA WITH (NOLOCK) inner join IMS_PRINCIPAL_LOGIN_DATE on (IMS_PRINCIPAL_DATA.ID = IMS_PRINCIPAL_LOGIN_DATE.PRINCIPAL_ID) ) IMS_PRINCIPAL_DATA WHERE UPPER(IMS_PRINCIPAL.LOGINUID) = UPPER(IMS_PRINCIPAL_DATA.LOGINUID) AND IMS_PRINCIPAL_DATA.IDENTITY_SRC_ID = '000000000000000000001000d0011000' AND UPPER(IMS_PRINCIPAL.LOGINUID) = UPPER(?) ORDER BY UPPER(IMS_PRINCIPAL.LOGINUID)
2014-01-27 15:15:45,414, [castle-exec-5], (IMSUtilImpl.java:249), trace.com.rsa.riat.utils.IMSUtil, DEBUG, SKVCENTER.intern.net,,,,Could not find user intern\skvcenter-svc in domain null
2014-01-27 15:15:45,415, [castle-exec-5], (SecurityTokenServiceImpl.java:107), trace.com.rsa.riat.sts.impl.SecurityTokenServiceImpl, ERROR, SKVCENTER.intern.net,,,,Error while trying to generate RequestSecurityTokenResponse
com.rsa.riat.ws.security.trust.authn.AuthnPluginException: Authentication Failed
Jemand eine Idee?