"Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk" error during vSphere Authentication configuration
book
Article ID: 312265
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
Configuring the vCenter Server authentication source in vRealize Orchestrator fails.
You see this error:
Failed with Error ! An error occurred while retrieving the Single Sign-On token from; https://vcenter/lookupservice/sdk
In the controlcenter logs, you see entries similar to:
2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [<UUID_1>] Register authentication error: authentication: Authentication: state = CONNECTED, url = https://xx.xx.xx.xx/lookupservice/sdk, certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = [email protected], password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [FD 3D E5 51 D4 E3 91 1D FC 68 10 3F FF CD 29 19 C2 97 5B 81], TrustedEntity [id=imported:3351b814-6d13-44a5-8 e84-4b99d38ad917, [E3 91 1D FC 68 CD A0 A4 C8 D3 CD 29 19 C2 97 FD 3D E5 51 D4], TrustedEntity [id=imported:7251f30f-e3e3-46c5-bafa-4a836890c6f0, [FC 68 CD A0 7E3 91 1D FC CD 29 19 C2 97 B7 85 E9 21 F0 67 F0 15 C7 94], service provider host = https://XX.XX.XXX.XXX:8283Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6, stsUrlEndpoint = com.vmware.vcac.componentregistry. rest.stubs.EndPoint@258c72f6, adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253, ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112) at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217) at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334) at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.<init>(AdminClientImpl.java:107) at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:64) at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:54) at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.getTrustedCerts(SsoAdminClientFactoryImpl.java:298) at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.aquireToken(SsoAdminClientFactoryImpl.java:275) at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.createSSOAdminClient(SsoAdminClientFactoryImpl.java:259) at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.registerWithSSO(SsoAdminClientFactoryImpl.java:86) at com.vmware.o11n.configuration.authentication.services.SamlAuthenticationServiceAdapter.register(SamlAuthenticationServiceAdapter.java:89) at com.vmware.o11n.configuration.authentication.services.SsoAuthenticationService.register(SsoAuthenticationService.java:202) at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.register(ConfigureAuthProvider.java:597) at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.update(ConfigureAuthProvider.java:236) at com.vmware.o11n.controlcenter.authentication.AuthenticationController.updateWizzard(AuthenticationController.java:169) at com.vmware.o11n.controlcenter.authentication.AuthenticationController$$FastClassBySpringCGLIB$$337aef2c.invoke(<generated>)
Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:511) at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:361) at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)
Caused by: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
When replacing the machine SSL certificate on an embedded deployment.
When replacing the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
When replacing the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.
This issue is caused when SSO uses one certificate while in lookupservice to be registered another.
Resolution
This issue can be resolved when using the Platform Services Controller UI to replace the certificates by running the ls_update_certs script on the Platform Services Controller. With external solutions, certificate replacement proceeds as follows:
Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
Run the ls_update_certs script, passing in the old certificate and new certificate.