1. Password operations for NSXT service account user such as remediate, rotate, or update are failing in SDDC Manager, checking domainmanager.log:
2023-07-06T13:27:59.966+0000 DEBUG [vcf_om,f6a20c0a621ba066,38d5] [c.v.v.p.helper.NsxtApiUtil,om-exec-30] Failed to update NSXT Compute Manager details : { "details" : "Compute manager value: \"vCENTER_FDQN\"\n is not enabled for auth server.", "error_code" : 90001, "module_name" : "inventory-mgmt", "error_message" : "Compute manager value: \"vCENTER_FDQN\"\n is not enabled for auth server." } with status :
2023-07-06T13:27:59.966+0000 ERROR [vcf_om,f6a20c0a621ba066,38d5] [c.v.v.p.u.d.NsxtManagerSsoUpdater,om-exec-30] Failed to update NsxT Manager with SSO credentials. {}
com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: Compute manager value: "vCENTER_FDQN"
is not enabled for auth server.
2. If we change NSXT service account password from vCENTER's UI 'Edit a vCenter Single Sign-On User' then browse to the NSX-T UI >> System >>Fabric >> Compute manager >> Edit the Compute Manager >> then click Edit again on the FQDN >>
check the service account username and put newly changed password >> Hit Save, operation fails with same error: "Compute manager value: \"vCENTER_FDQN\"\n is not enabled for auth server."
3. NSXT manager is showing:
2023-02-03T16:45:31.690Z NSX 9664 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="4f73239d-1908-4089-b40b-deb62c0a94d6" subcomp="cm-inventory" username="admin"] No com.vmware.cis.cs.identity.openidconnect endpoint found for VC vCENTER_FQDN
While connecting NSXT to a compute manager, NSXT tries to fetch cs.identity openidconnect endpoint from VC, and if it is not present for the concerned VC then NSXT will fail to connect.
Ensure we have taken necessary backups of components we will change: vCenter/SDDC Manager VMs.
First, confirm that you are hitting the same issue described in this kb using following steps:
1. Open an SSH session to the vCenter Server Appliance 7.0 with embedded Platform Services Controller and run:
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk > /tmp/psc_services.txt
2. Run below grep on psc_services.txt to check current registered 'cs.identity' :
cat /tmp/psc_services.txt | grep -iE 'Service Type: cs.identity' -A10 | grep -iE 'Service Type: cs.identity|Service ID:|Owner ID:|URL:'
If you don't see a listed 'cs.identity' for our problematic VCSA/Compute manager then proceed with below fix steps:
0. Ensure you have taken proper snapshots of your SSO domain. This means that you must shut down all VCs or PSCs that are in the SSO domain at the same time, then snapshot them, and power them on again.
1. Open an SSH session to the vCenter Server Appliance and once all services are started we will execute below command as a single-line - command from vmidentity-firstboot to recreate the values for the vCenter in the LDAP:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /root/machine.crt && /usr/java/jre-vmware/bin/java -cp /usr/lib/vmware-lookupsvc/lib/*:/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*:/usr/lib/vmware/common-jars/*:.:* -Dlog4j.configurationFile=/usr/lib/vmware-lookupsvc/conf/initls-log4j2.xml -Dvmware.log.dir=/var/log/vmware/sso/ -XX:ErrorFile=/var/log/vmware/sso/hs_err_stsinstaller_pid%p.log -XX:HeapDumpPath=/var/log/vmware/sso/ com.vmware.vim.lookup.tools.InitializeLookupService --cert-path /root/machine.crt --host-name $HOSTNAME --http-port 443
2. Confirm we can list a 'cs.identity' for our problematic VCSA:
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk > /tmp/psc_services.txt
cat /tmp/psc_services.txt | grep -iE 'Service Type: cs.identity' -A10 | grep -iE 'Service Type: cs.identity|Service ID:|Owner ID:|URL:'
3. Restart VC service and retry remediate task from SDDC which should work successfully this time.
- We can't update, rotate, or remediate NSXT service account from SDDC.
- We can't connect back NSXT to compute manager from NSXT-UI.