The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName
search cancel

The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName

book

Article ID: 326207

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After changing the Primary Network Identifier (PNID) on the VCSA, the vmware-stsd service may fail to start
  • /var/log/vmware/sso/vmware-identity-sts.log :
    YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
    YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalStateException:Internal error : duplicate entries were found

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

This is caused by the previous machine account entry not being removed from the VMDIR DB during a PNID change, and more than one machine account having same value for the sAMAccountName attribute.

Resolution

Remove the stale machine account which has the same value for the sAMAccountName attribute as the PNID from the VMDIRD DB using the below command:

Note: Before making any changes on the vCenter server that modifies the VMware Directory instance, offline snapshots of all vCenters in the SSO domain are required.

  • To get a list of the machine account entries use the following commands:
     # SSO_DOMAIN_DN="dc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost | sed -e 's/\./,dc=/g')"; ldapsearch -LLL -h localhost -b "ou=Domain Controllers,$SSO_DOMAIN_DN" -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" sAMAccountName -W

      Enter LDAP Password:
      dn: ou=Domain Controllers,dc=vsphere,dc=local

      dn: cn=x.x.x.x,ou=Domain Controllers,dc=vsphere,dc=local
      sAMAccountName: vcsa.example.com

      dn: cn=vcsa.example.com,ou=Domain Controllers,dc=vsphere,dc=local
      sAMAccountName: vcsa.example.com
  • Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is vcsa.example.com, proceed to remove the other entry :
    # ldapdelete -h localhost -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" -W "cn=x.x.x.x,ou=Domain Controllers,dc=vsphere,dc=local"

 

Additional Information

Alternate option: Using any LDAP browser ( Jxplorer in this use case )

  •  In the left pane expand Local  > SSO_Domain >  Domain Controller .In case of two entries with the same sAMAccountName value, remove the stale machine account value x.x.x.x under Domain Controllers .
  • To remove the old entry, select the duplicate /stale PNID entry , Right-click, and choose Delete.
Powered by Wolken Software