Requests on a deployment fail when the current owner user account has been modified, deleted, or disabled in Active Directory.
search cancel

Requests on a deployment fail when the current owner user account has been modified, deleted, or disabled in Active Directory.

book

Article ID: 326096

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
There are two known cases for this issue effecting vRealize Automation 7.2 through 7.4:

Both Cases follow these similar symptoms:
  • The deployment owner no longer has a user account in Active Directory.
  • The deployment owner's user account has been disabled in Active Directory.
  • The deployment owner's user principal name (UPN) has been modified in Active Directory.
Case #1 Unique Symptoms:
  • The provisioning request fails when the request has an approval policy with the missing user as part of the approvers with messages similar to:
"The Request approval has returned with an Error"
  • /var/log/vmware/vcac/catalina.out contains messages similar to:
2018-02-07 08:50:09,114 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-2" tenant="" context="DZzuUSMb" parent="dbpZxbsb" token="gNaDHLoy"] com.vmware.vcac.core.approvals.service.evaluation.ApprovalEvaluator.evaluate:35 - Starting evaluation of requested item approval 75e75057-cfe7-407f-b161-30ec0641671f

2018-02-07 08:50:09,141 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-2" tenant="" context="DZzuUSMb" parent="dbpZxbsb" token="gNaDHLoy"] com.vmware.vcac.core.approvals.service.evaluation.ApprovalLevelEvaluator.evaluate:61 - Criteria met for Level#1: My approval

2018-02-07 08:50:09,198 vcac: [component="cafe:identity" priority="ERROR" thread="tomcat-http--47" tenant="vsphere.local" context="DZzuUSMb" parent="umS5SPpT" token="FFg3ohxu"] com.vmware.vcac.authentication.service.impl.PrincipalWrapperFactoryImpl.create:60 - Could not find principal '[email protected]' in tenant 'someTenant'

2018-02-07 08:50:09,200 vcac: [component="cafe:catalog" priority="ERROR" thread="tomcat-http--9" tenant="vsphere.local" context="DZzuUSMb" parent="gNaDHLoy" token="umS5SPpT"] com.vmware.vcac.platform.content.data.provider.CompositeDataProvider.getData:60 - Error retrieving data from component provider with prefix: organization.subTenant~

Case #2 Unique Symptoms:
  • The change ownership request fails. The owner of the machine/deployment cannot be changed.
  • /var/log/vmware/vcac/catalina.out contains messages similar to:
[UTC:2018-06-27 08:33:36,581 Local:2018-06-27 10:33:36,581] vcac: [component="cafe:catalog" priority="INFO" thread="queue-pool-executer-2" tenant="generic" context="WmJfzDgK" parent="WmJfzDgK" token="uG1zyFHg"] com.vmware.vcac.catalog.service.impl.RequestServiceImpl.init:371 - ResourceActionRequest [RequestId ="8d60967a-7382-4b23-b14f-9765c9800728" RequestNumber="25090" RequestedBy="someRequester@someDomain" RequestedFor="someRequester@someDomain" ResourceId="51314937-403d-4d16-9de8-385f0352b86d" ResourceName="UUICSV1015" ResourceActionId= "58b618c0-bc8e-4e0f-be1b-5699241adc8e" ResourceActionName="{com.vmware.csp.component.cafe.composition@resource.action.deployment.changeowner.name}" TenantName="Generic" SubtenantName="SomeBusinessGroup"] : Initializing request at provider

[UTC:2018-06-27 08:33:36,852 Local:2018-06-27 10:33:36,852] vcac: [component="cafe:composition-service" priority="INFO" thread="tomcat-http--14" tenant="generic" context="WmJfzDgK" parent="uG1zyFHg" token="SafM8Vzh"] com.vmware.vcac.composition.service.impl.AbstractLifecycleActionRequestHandler.setRequestedFor:399 - CatalogPrincipal[ref: [email protected], tenantName: someTenantName, type: USER, value: import admin] is an owner (of 1) of deployment cafeResourceId: 51314937-403d-4d16-9de8-385f0352b86d selected as the requestedFor for BR id: 8825ce0e-d8f3-4689-a2a8-97a8a8a72829

[UTC:2018-06-27 08:33:37,078 Local:2018-06-27 10:33:37,078] vcac: [component="cafe:catalog" priority="ERROR" thread="tomcat-http--31" tenant="generic" context="WmJfzDgK" parent="SafM8Vzh" token="igOKRcFb"] com.vmware.vcac.catalog.suite.impl.AuthenticationServiceGatewayImpl.lookupTugUser:437 - User [Name = "" TenantName ="" PrincipalId ="[email protected]"] : Unable to retrieve user by id org.springframework.web.client.HttpClientErrorException: 404


Environment

VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 7.4.x

Cause

  • The deployment owner's account has been modified, disabled, or deleted in Active Directory.
  • The provisioning request fails because the Approval level cannot be evaluated.

Resolution

This issue is resolved in vRealize Automation 7.5.

Workaround:
  1. Determine whether the deployment owner's user account was deleted or disabled in Active Directory. 
Note: If the user is disabled, re-enabling the user account temporarily in order to change the deployment owner in vRealize Automation. 
  1. If the user account has been deleted from Active Directory, run the below queries on the vRealize Automation vPostgres database
    1. Take a full backup of the vPostgres database.
    2. How to export embedded Postgres DB from vRealize Automation appliance (KB2074214)
  2. SSH to the vRealize Automation Appliance
  3. Login to the vPostgres Database
    1. su postgres
    2. psql
    3. \c vcac
Case #1:
  1. Isolate the principalid of the offending user in the logs:
  2. Execute the below statements using the offending user's principalid
select * from subtenantrole_principalid where principalid = '[email protected]';
delete from subtenantrole_principalid where principalid = '[email protected]';

select * from cat_entitlement_principals where principal_id = (select id from cat_principal where ref = '[email protected]';
delete from cat_entitlement_principals where principal_id = (select id from cat_principal where ref = '[email protected]';


Case #2:
  1. Ensure that the new owner of the deployment has a record in the catalog's table.
SELECT COUNT(id) FROM cat_principal WHERE ref = '[email protected]';
  1. If the new owner does not have a records in this table, create a temporary Entitlement:
    1. Open the Administration Tab > Catalog Management > Entitlement:
    2. Select New
    3. Change the Status to Active
    4. Select the Business Group that the new owner is member of
    5. Uncheck "All Users and Groups"
    6. Search for the user and add the user to the Entitlement.
    7. Add the target user under the "Users and Groups" section.
    8. Select Next and Finish
    9. Rerun the query to confirm the new owner has a record in the catalog's table::  SELECT COUNT(id) FROM cat_principal WHERE ref = '[email protected]';
    10. Delete the entitlement once the user is found in the cat_principal table
  2. Replace all resources owned by the current owner with the new owner.
UPDATE cat_resource_owners SET "owner_id" = (SELECT id FROM cat_principal WHERE ref = '[email protected]') WHERE "owner_id" = (SELECT id FROM cat_principal WHERE ref = '[email protected]');