After upgrading to VMware vRealize Automation 6.1, the shell-ui-app and iaas-service services show as FAILED, cannot access tenants or reports Insufficient access error in the VMware vRealize Automation logs
search cancel

After upgrading to VMware vRealize Automation 6.1, the shell-ui-app and iaas-service services show as FAILED, cannot access tenants or reports Insufficient access error in the VMware vRealize Automation logs

book

Article ID: 342146

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
After upgrading to VMware vRealize Automation 6.1 (formerly known as VMware vCloud Automation Center for Server), you may see any of these symptoms listed in the service status on the VMware vRealize Automation appliance management web page ( https://FQDN:5480):
  • shell-ui-app and iaas-service show as FAILED, all other services show as REGISTERED.
  • You cannot access tenants other than the default tenant ( https://FQDN/vCAC).
  • All services show as REGISTERED and you may be able to access tenants other than the default tenant. However, you will be unable to access the infrastructure tab.
  • In the catalina.out log file, located at /var/log/vmware/vcac/, you see an entry similar to:

    YYYY-MM-DD TIME,387 vcac: [component="cafe:identity" priority="ERROR" thread="tomcat-http--1" tenant] com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage:133 - SOAP fault
    javax.xml.ws.soap.SOAPFaultException: Error occured looking for solution user :: Insufficient access



Environment

VMware vCloud Automation Center for Desktop 6.1.x
VMware vCloud Automation Center for Server 6.1.x

Cause

This issue occurs due to expiration flag that affects the internal administrative accounts within SSO.
 
The shell-ui-app and iaas-service accounts may fail if you have upgraded the VMware vRealize Automation Identity appliance, but have not run the time out fix against ALL tenants in the VMware vRealize Automation (formerly known as VMware vCloud Automation Center for Server) Identity appliance.

Resolution

This issue is resolved in VMware vRealize Automation 6.2, available at VMware Downloads. For more information, see the VMware vRealize Automation 6.2 Release Notes.

For more information, see vCloud Automation Center 6.0.x tenants become inaccessible and identity stores disappear (2075011).

If upgrading to this version is not an option, follow the workaround.

To work around this issue, disable password expiration:

Using vCenter SSO in a vCenter Appliance

Note: Replace tenant_name with the URL name of your tenant(s).

To disable password expiration when using vCenter SSO in a vCenter Appliance:

  1. Open an SSH connection to vCenter Server.
  2. Run this command to reset the account control flag:

    /opt/likewise/bin/ldapmodify -H ldap://localhost:11711 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF</span>
    dn: cn=administrator,cn=users,dc=tenant_name
    changetype: modify
    replace: userAccountControl
    userAccountControl: 0
    EOF

    Response: modifying entry "cn=administrator,cn=users,dc=tenant_name."


  3. Run this command to disable password expiration for the account:

    /opt/likewise/bin/ldapmodify -H ldap://localhost:11711 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF</span>
    dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
    changetype: modify
    add: member
    member: cn=administrator,cn=users,dc=tenant_name
    EOF

    Response: modifying entry "cn=DCAdmins,cn=builtin,dc=vsphere,dc=local"

    Note: You are prompted for the [email protected] password when running this command.

VMware vRealize Automation using Windows installation of vCenter SSO for tenant authentication

To disable password expiration if VMware vRealize Automation is using a Windows installation of vCenter Appliance-based SSO for tenant authentication:
  1. Open an elevated command prompt.
  2. Run this command to create a temporary directory:

    mkdir c:\temp

  3. Run this command to change directories:

    cd c:\temp

  4. Run this command to create the UserAccountControl.ldif file in a notepad:

    notepad UserAccountControl.ldif

  5. Copy and paste these contents into the UserAccountControl.ldif file:

    dn: cn=administrator,cn=users,dc=tenant_name
    changetype: modify
    replace: userAccountControl
    userAccountControl: 0
    -

    Notes:
    • Replace tenant_name with the URL name of your tenant.
    • Ensure to include the hyphen on the last line (Do not omit the hyphen).

  6. Save and close the UserAccountControl.ldif file.
  7. Run this command to create the PasswordExpiration.ldif file in a notepad:

    notepad PasswordExpiration.ldif

  8. Copy and paste these contents into the PasswordExpiration.ldif file:

    dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
    changetype: modify
    add: member
    member: cn=administrator,cn=users,dc=tenant_name
    -

    Notes:

    • Replace tenant_name with the URL name of your tenant.
    • Ensure to include the hyphen on the last line. (Do not omit the hyphen).

  9. Save and close the PasswordExpiration.ldif file.
  10. Run these commands to modify the user account control configuration and password expiration using the files created earlier in this procedure:

    Note: If the ldifde executable is not available, run this command to install it:

    ServerManagerCmd -i RSAT-ADDS-Tools

    Note: ServerManagerCmd is deprecated and is not available in Windows Server 2012. For more information, see Microsoft TechNet.

    Note: The preceding link was correct as of September 22, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.

    1. Run this command to modify the user account control configuration:

      ldifde -i -f UserAccountControl.ldif -s localhost -t 11711 -a "cn=Administrator,cn=Users,dc=vsphere,dc=local" *

      When prompted, type the password for [email protected].

    2. Run this command to modify the password expiration:

      ldifde -i -f PasswordExpiration.ldif -s localhost -t 11711 -a "cn=Administrator,cn=Users,dc=vsphere,dc=local" *

      When prompted, type the password for [email protected].

To troubleshoot ALL tenants in your Identity Server if only shell-ui-app and iaas-service services are showing as FAILED, see vCloud Automation Center 6.0.x tenants become inaccessible and identity stores disappear (2075011).


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box VMware vRealize Automation 6.0.x tenants are inaccessible and identity stores disappear