Execution of workflow "Add an IaaS Host" and "Update an IaaS Host" fails in vRealize Automation 7.4 and above
search cancel

Execution of workflow "Add an IaaS Host" and "Update an IaaS Host" fails in vRealize Automation 7.4 and above

book

Article ID: 326051

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • When executing "Add an IaaS Host" or "Update an IaaS Host" a failure occurs
  • Shared Session NTLM authentication is configured within Internet Information Services (IIS)
  • The executing user is an account which is not part of the Administrators group on the IaaS Host
  • Server.log / Scripting.log will contain errors similar to:
item: 'Update an IaaS host/item2', state: 'failed', business state: 'null', exception: 'com.vmware.o11n.plugin.dynamicops.ServiceException: HTTP/1.1 403 Forbidden : Access denied (domain\username). Entity HostNamePrefixException has been thrown by the target of an invocation.System.Reflection.TargetInvocationException   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Data.Services.DataServiceConfiguration.ComposeResourceContainer(IDataService service, ResourceSetWrapper container, Expression queryExpression)Access denied (domain\username). Entity HostNamePrefixSystem.Data.Services.DataServiceException   at DynamicOps.Repository.Runtime.ServiceModel.Data.RepositoryDataService`2.InternalOnQueryEntity[TEntity](Int32 entityId) (Workflow:Update an IaaS host / Update the host (item0)#16)'
workflow: 'Update an IaaS host' (ae371706-13cb-41ec-99e3-0aecbe4425dc) 
|  'attribute': name=errorCode type=string value=com.vmware.o11n.plugin.dynamicops.ServiceException: HTTP/1.1 403 Forbidden : Access denied (domain\username). Entity HostNamePrefixException has been thrown by the target of an invocation.System.Reflection.TargetInvocationException   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Data.Services.DataServiceConfiguration.ComposeResourceContainer(IDataService service, ResourceSetWrapper container, Expression queryExpression)Access denied (domain\username). Entity HostNamePrefixSystem.Data.Services.DataServiceException   at DynamicOps.Repository.Runtime.ServiceModel.Data.RepositoryDataService`2.InternalOnQueryEntity[TEntity](Int32 entityId) (Workflow:Update an IaaS host / Update the host (item0)#16)


Environment

VMware vRealize Automation 7.5.x
VMware vRealize Automation 7.4.x

Cause

Account privilege requirements have been increased to resolve potential security concerns when using NTLM authentication.

Resolution

Add the executing user of the aforementioned workflows as an Administrator on the Windows IaaS Web component virtual machine hosting Web API (WAPI) services.

Additional Information

Reproduction in vRealize Automation 7.3 and below:

  • Open the vRealize Orchestrator JNLP or Java client
  • Change the drop-down to "Run"
  • Navigate to the Workflow tab
  • Navigate to Library > vRealize Automation > Infrastructure Administration > Configuration
  • Run the workflow "Update an IaaS Host"
    • Select NTLM for "Host's authentication type"
    • Enter the "Authentication user name" of an account that does not have Administrator privileges
    • Enter the Domain name for "Domain for NTLM authentication"
    • Submit the workflow
vRealize Automation 7.4 - Accounts and Passwords