vCenter Server 6.7/7.0 vCenter Server Appliance Authentications Fail until Reboot or are Intermittently Slow
Article ID: 342877
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
All authentication fails until reboot (likewise deadlock).
Authentication is intermittently slow due to likewise agents hanging for 1-5 minutes.
Root logins to the console or SSH may fail.
A large amount of open policy failures occur in the messages.log (/var/log/vmware/messages):
The vmware-identity-sts.log (/var/log/vmware/sso) stops logging until reboot. For example:
In the below reference, stsd stops logging at 2020-10-25T11:11:47.564Z and continues after reboot at 2020-10-25T12:09:13.074Z.
All authentication fails until reboot (likewise deadlock).
Authentication is intermittently slow due to likewise agents hanging for 1-5 minutes.
Root logins to the console or SSH may fail.
A large amount of open policy failures occur in the messages.log (/var/log/vmware/messages):
2020-11-13T01:54:22.917228+00:00 lsassd[1421]: 0x7f3956495700:[AD_NetLookupObjectSidByName() ../lsass/server/auth-providers/ad-open-provider/adnetapi.c:414] Failed to find user, group, or domain by name (name = '[email protected]', searched host = 'DC.domain.com') -> error = 40098, symbol = LW_ERROR_RPC_OPENPOLICY_FAILED
The vmware-identity-sts.log (/var/log/vmware/sso) stops logging until reboot. For example:
In the below reference, stsd stops logging at 2020-10-25T11:11:47.564Z and continues after reboot at 2020-10-25T12:09:13.074Z.
[2020-10-25T11:11:47.564Z tomcat-http--151 vsphere.local f164da31-2dca-4719-af50-429ada9433f1 INFO com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security headers
[2020-10-25T12:09:13.074Z tomcat-http--14 WARN com.sun.xml.ws.transport.http.HttpAdapter] Received WS-I BP non-conformant Unquoted SoapAction HTTP header: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
[2020-10-25T12:09:13.074Z tomcat-http--14 WARN com.sun.xml.ws.transport.http.HttpAdapter] Received WS-I BP non-conformant Unquoted SoapAction HTTP header: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
Cause
DCE/RPC code for likewise had a major update in 6.7 GA onward. The updates resulted in lsass endpoints being corrupted during a string copy operation. Endpoints are used when sending SMB2 CREATE request operations to domain controllers. The SMB2 CREATE request creates a file that is used to perform lsa_LookupNames2 and lsa_OpenPolicy2 requests that take place during user logins. When the corrupted endpoint is used (\\pipe\\lsassc) the domain controller will return an NTSTATUS of "STATUS_OBJECT_NAME_NOT_FOUND". This results in LW_ERROR_RPC_OPENPOLICY_FAILED failures in the /var/log/vmware/messages logs. A single open policy failure will not cause a login to fail. In larger environments, too many backed up lsa_LookupNames2 and lsa_OpenPolicy2 requests using the corrupted endpoint can cause likewise to intermittently hang (1-5 mins) or deadlock until reboot.
Resolution
This issue is resolved in VMware vSphere vCenter Server 7.0 U2. To download go to the Customer Connect Patch Downloads page .
This issue is resolved in VMware vSphere vCenter Server 6.7 U3m. To download go to the Customer Connect Patch Downloads page .
Workaround:
Switch all identity sources to AD over LDAPS. This avoids using likewise for AD authentication.
This issue is resolved in VMware vSphere vCenter Server 6.7 U3m. To download go to the Customer Connect Patch Downloads page .
Workaround:
Switch all identity sources to AD over LDAPS. This avoids using likewise for AD authentication.
Feedback
Yes
No
Powered by
