"Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk" error during vSphere Authentication configuration
search cancel

"Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk" error during vSphere Authentication configuration

book

Article ID: 312265

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • Configuring the vCenter Server authentication source in vRealize Orchestrator fails.
  • You see this error:

    Failed with Error ! An error occurred while retrieving the Single Sign-On token from; https://vcenter/lookupservice/sdk
     
  • In the controlcenter logs, you see entries similar to:

    2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [<UUID_1>] Register authentication error: authentication: Authentication: state = CONNECTED, url = https://xx.xx.xx.xx/lookupservice/sdk , certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = [email protected] , password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [FD 3D E5 51 D4 E3 91 1D FC 68 10 3F FF CD 29 19 C2 97 5B 81], TrustedEntity [id=imported:3351b814-6d13-44a5-8
    e84-4b99d38ad917, [E3 91 1D FC 68 CD A0 A4 C8 D3 CD 29 19 C2 97 FD 3D E5 51 D4], TrustedEntity [id=imported:7251f30f-e3e3-46c5-bafa-4a836890c6f0, [FC 68 CD A0 7E3 91 1D FC CD 29 19 C2 97 B7 85 E9 21 F0 67 F0 15 C7 94], service provider host =
    https://XX.XX.XXX.XXX:8283 Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , stsUrlEndpoint = com.vmware.vcac.componentregistry.
    rest.stubs.EndPoint@258c72f6 , adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253 , ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112)
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217)
    at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334)
    at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.<init>(AdminClientImpl.java:107)
    at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:64)
    at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:54)
    at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.getTrustedCerts(SsoAdminClientFactoryImpl.java:298)
    at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.aquireToken(SsoAdminClientFactoryImpl.java:275)
    at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.createSSOAdminClient(SsoAdminClientFactoryImpl.java:259)
    at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.registerWithSSO(SsoAdminClientFactoryImpl.java:86)
    at com.vmware.o11n.configuration.authentication.services.SamlAuthenticationServiceAdapter.register(SamlAuthenticationServiceAdapter.java:89)
    at com.vmware.o11n.configuration.authentication.services.SsoAuthenticationService.register(SsoAuthenticationService.java:202)
    at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.register(ConfigureAuthProvider.java:597)
    at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.update(ConfigureAuthProvider.java:236)
    at com.vmware.o11n.controlcenter.authentication.AuthenticationController.updateWizzard(AuthenticationController.java:169)
    at com.vmware.o11n.controlcenter.authentication.AuthenticationController$$FastClassBySpringCGLIB$$337aef2c.invoke(<generated>)

    Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:511)
    at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:361)
    at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)

    Caused by: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

 


Environment

VMware vRealize Orchestrator Plugin for NSX 1.0.x
VMware vRealize Orchestrator Plugin for NSX 1.1.x
VMware vRealize Orchestrator 7.5.x
VMware vRealize Orchestrator Plugin for vSphere Replication 6.x
VMware vRealize Orchestrator 7.4.x
VMware vRealize Orchestrator 7.2.x
VMware vRealize Automation 7.4.x
VMware vRealize Orchestrator 7.0.x
VMware vRealize Orchestrator 7.3.x
VMware vRealize Orchestrator 6.0.x
VMware vRealize Orchestrator 7.1.x

Cause

The problem occurs in any of these situations:
 
  • When replacing the machine SSL certificate on an embedded deployment.
  • When replacing the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
  • When replacing the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.
  • This issue is caused when SSO uses one certificate while in lookupservice to be registered another.
 

Resolution

This issue can be resolved when using the Platform Services Controller UI to replace the certificates by running the ls_update_certs script on the Platform Services Controller. With external solutions, certificate replacement proceeds as follows:
  1. Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
  2. Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
  3. Run the ls_update_certs script, passing in the old certificate and new certificate.
For more information on the procedure, see: