VMware Identity Manager Directory Sync fails with Error 'Response from connector: Failed to complete dry run'
search cancel

VMware Identity Manager Directory Sync fails with Error 'Response from connector: Failed to complete dry run'

book

Article ID: 314594

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

 

  •   Directory sync fails with below errors:

     Response from connector: Failed to complete dry run.

     Failed to parse the response received from connector.

  • Unable to sync the domain users and groups from the VMware Identity Manager (vIDM) connectors.

  • Unable to login to Aria Automation and Aria Lifecycle Manager  using domain user.

  • The /opt/vmware/horizon/workspace/logs/connector.log shows the following error

    ERROR (Thread-#) com.vmware.horizon.connector.rest.SyncConfigurationRestController - Failed to complete dry run.
    com.vmware.horizon.connector.exception.HorizonException: Failed to load group DNs from directory
            at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.getUpdatedMappedGroupsFromAD(DirectorySyncConfigUpdateService.java:###) ~[classes/:3.3.7.0 Build 21173100]
            at com.vmware.horizon.connector.admin.DirectorySyncConfigUpdateService.updateDirectorySyncConfigFromService(DirectorySyncConfigUpdateService.java:86) ~[classes/:3.3.7.0 Build 21173100]
    Caused by: com.vmware.horizon.directory.DirectoryServiceException: Authentication failed for the given user name and password
            at com.vmware.horizon.connector.admin.LdapService.getGroups(LdapService.java:###) ~[classes/:3.3.7.0 Build 21173100]
  • The /opt/vmware/horizon/workspace/logs/connector-dir-sync.log shows the following error

    ERROR (pool-####-thread-#) [;;;] com.vmware.horizon.directory.ldap.TrustedForestSearchService - Could not get value of RootDSE. Unable to get ObjectSid value for domain component of current directory settings.
    com.vmware.horizon.directory.DirectoryServiceException: Authentication failed for the given user name and password
            at com.vmware.horizon.directory.ldap.LdapConnector.createLdapContext(LdapConnector.java:####) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 21173100]
            at com.vmware.horizon.directory.ldap.DirectoryHostResolutionService.setHostWhenUsingSrv(DirectoryHostResolutionService.java:##) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 21173100]
    Caused by: com.vmware.horizon.directory.ldap.exceptions.KerberosAuthenticationException: Authentication failed for the given user name and password
            at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithOptimizedKDCLookup.getKerberosAuthenticatedSubject(KerberosConnectServiceWithOptimizedKDCLookup.java:###) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 21173100]
            at com.vmware.horizon.directory.ldap.dc.service.DirectoryConnectService.getLdapContextForIwaDirectoryWithoutProvidedADHost(DirectoryConnectService.java:##) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 21173100]
            ... 15 more
    Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
            at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:###)


  • The "connector.log" file contains error messages similar to:  
    INFO  (Thread-12) com.vmware.horizon.client.rest.Utils - END   sendRequestBase (https://localhost/SAAS/t/VIDMHOST/API/1.0/REST/admin/sync/groups/AD-Group-ID/memberswithdirectness?size=10000&start=0, ..., application/json, GET, null, ...)

ERROR (Thread-12) com.vmware.horizon.connector.mvc.UIAlerts - Failed to complete sync due to a problem with the service. Exception Info: The service reported that group: AD-GROUP-ID (ActiveDirectoryGroup@Domain) contains an unreported user: <AD-USER-ID>

ERROR (Thread-12) com.vmware.horizon.connector.rest.SyncConfigurationRestController - Failed to complete dry run.com.vmware.horizon.client.rest.Exception.ApiException: The service reported that group: AD-GROUP-ID (ActiveDirectoryGroup@Domain) contains an unreported user: <AD-USER-ID>

Environment

VMware Identity Manager 3.3.x

Cause

This may be caused by:

  • Incorrect credentials in the Base DN / Bind DN section of the sync settings for this domain in vIDM
  • Invalid permissions on 'krb5.conf' file- /usr/local/horizon/conf/krb5.conf

    - We see below exception under /opt/vmware/horizon/workspace/logs/connector.log on vIDM node:

    ERROR (pool-158-thread-1) [;;;] com.vmware.horizon.connector.rest.DirectoryRestController - Failed to resolve and save domains.
    com.vmware.horizon.directory.DirectoryServiceException: Unable to populate KDCs
    at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithOptimizedKDCLookup.initializeKdcs(KerberosConnectServiceWithOptimizedKDCLookup.java:69) ~[adapter-ldap-0.1.jar:3.3.5.0 Build 18049997]
    at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithOptimizedKDCLookup.getKerberosAuthenticatedSubject(KerberosConnectServiceWithOptimizedKDCLookup.java:86) ~[adapter-ldap-0.1.jar:3.3.5.0 Build 18049997]
    at
    Caused by: java.nio.file.AccessDeniedException: /usr/local/horizon/conf/krb5.conf
    at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) ~[?:1.8.0_292]
    at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) ~[?:1.8.0_292]
  • Unreported user within the Active Directory group synchronized with vIDM.

Resolution

Scenario 1 : Incorrect credentials in the Base DN / Bind DN section of the sync settings for this domain in vIDM

  1. Update the directory configuration in VMware Identity Manager with the correct bind user password.

  2. Save the changes and re-trigger the directory synchronization.

  3. Verify that the sync completes successfully without errors. For additional guidance, refer to the following documentation: Sync Directory to Correct Domain Information

Scenario 2 : Invalid permissions on 'krb5.conf' file- /usr/local/horizon/conf/krb5.conf

  1. Check the permissions of conf folder on primary node and replica nodes
    • ls -l /usr/local/horizon
  2. If they are not same then set the appropriate permissions to conf folder on replica nodes using chmod command.
    • chown root:www /usr/local/horizon/conf
    • chmod 775 /usr/local/horizon/conf 
  3. Then permissions should be
    • drwxrwxr-x 11 root    www  4096 Nov 19 17:15 conf
  4. Save 'Domains' tab after setting the permissions and resync the directory.

Scenario 3 : Unreported user within the Active Directory group synchronized with vIDM

Review the Active Directory group synchronized with vIDM and remove the unreported user ID.

Powered by Wolken Software