Failed to prepare ESXi host for NSX install on vsphere cluster configured with vLCM
Article ID: 316000
Updated On:
Products
Issue/Introduction
- Failed to prepare ESXi host for NSX install on vsphere cluster configured with vLCM.
- The NSX integration might fail .
- vCenter's vSphere Cluster UI under Update of vLCM will show "The cluster needs remediation to finish enabling these Solutions: VMware NSX-T 4.0.1.1.0."
- Remediation pre-check will fail with error "Failed to run health checks for NSX-T on '<ClusterName>'"
Environment
VMware NSX 4.0.0.1
Cause
Domains are case-insensitive. This causes problems when using the domain name in case-sensitive strings such as OIDC issuer url.
In the below example. SSO domain is vsphere.local. OIDC is getting the URL as vSphere.LOCAL <-------------- Note case sensitive
"oidc_uri": "https://vc_fqdn/openidconnect/vSphere.LOCAL/.well-known/openid-configuration"
Resolution
vCenter: The fix will be in vSphere 8.0 U1 and onwards.
NSX: NSX 4.1.1
Workaround:
There are two workarounds gathered from two engineering reports.
Workaround from VC SSO
Note: Please take an offline snapshot of all VCs before proceeding
Using Jxplorer, modify the default tenant string
Navigate to the dn:
cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
Modify the attribute vmwSTSDefaultTenant to vsphere.local (from vSphere.LOCAL).[Taking the example explained in the cause]
Restart VC services.
Workaround from NSX
- Get below oidc in NSX
https://nsxmgr_fqdn/api/v1/trust-management/oidc-uris
------------------------------------------------------------------------------------------------------------------------------------------
{
"results": [
{
"oidc_uri": "https://vc_fqdn/openidconnect/vsphere.local/.well-known/openid-configuration",
"thumbprint": "###########",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://vc_fqdn/openidconnect/logout/vsphere.local",
"issuer": "https://vc_fqdn/openidconnect/vsphere.local",
"jwks_uri": "https://vc_fqdn/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://vc_fqdn/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
"id": "49037282c7a708d6f22ee3b49fd###############################################",
"display_name": "49037282c7a708d6f22ee3b4##############################################",
"_create_time": 1675162497329,
"_create_user": "admin",
"_last_modified_time": 1675162497329,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
]
}
------------------------------------------------------------------------------------------------------------------------------------------
- Delete the above OIDC uri
DELETE https://nsxmgr_fqdn/api/v1/trust-management/oidc-uris/49037282c7a708d6f22ee3b###################################
- Create a new oidc
POST https://{{mp_server}}/api/v1/trust-management/oidc-uris/
with below payload
{
"oidc_uri": "https://vc_fqdn/openidconnect/vSphere.LOCAL/.well-known/openid-configuration",
"thumbprint": "1db82027acceeb65ad0############################################",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://vc_fqdn/openidconnect/logout/vsphere.local",
"issuer": "https://vc_fqdn/openidconnect/vsphere.local",
"jwks_uri": "https://vc_fqdn/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://vc_fqdn/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
"id": "49037282c7a708d6f22########################################################",
"display_name": "49037282c7a7#############################################################"
}
above payload changes the oidc_uri to have vSphere.LOCAL
Additional Information
NSX 4.0.1.1.0 cannot be deployed because the host cannot be prepared because of this error.
Feedback
