Enabling Trust for a Compute manager in NSX fails with error as "Compute manager value: vCenter_FQDN” is not enabled for auth server. (Error code:90001)"
Article ID: 375169
Updated On:
Products
Issue/Introduction
- When enabling trust for a compute manager, you encounter the following message.
- In the NSX-T manager you see similar entries.
[var/log/cm-inventory/cm-inventory.log]
2024-11-08T02:13:39.833Z WARN http-nio-127.0.0.1-7443-exec-424 VcPlugin 11904 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="0f317bfc-####-####-####-2b22ff3ce5f9" subcomp="cm-inventory" username="admin"] No com.vmware.cis.cs.identity.openidconnect endpoint found for VC "vCenter_FQDN"
2024-11-08T02:13:39.833Z ERROR http-nio-127.0.0.1-7443-exec-33611 ComputeManagerServiceImpl 4626 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP90001" level="ERROR" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] Compute manager value: "vCenter_FQDN" is not enabled for auth server
[var/log/syslog]
2024-11-08T02:13:39.833Z #####nsxt#### NSX 4626 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] No com.vmware.cis.cs.identity.openidconnect endpoint found for VC "vCenter-FQDN"
2024-11-08T02:13:39.833Z #####nsxt#### NSX 4626 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP90001" level="ERROR" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] Compute manager value: "vCenter-FQDN"#012 is not enabled for auth server
Environment
VMware NSX
VMware NSX-T Data Center
Cause
The 'cs.identity' service registration has been removed from the vCenter Lookup Service, which is required by NSX to establish trust.
The error can also occur if the cis.identity does exist, but there is a trust mismatch in vCenter for the cis.identity.
Resolution
Workaround to the issue:
Perform below steps on the vCenter Appliance to resolve this issue :
On the affected vCenter where we are enabling trust.
- We need to create a variable to determine the NODE ID of the affected vCenter
NODE=$(cat /etc/vmware/install-defaults/vmdir.ldu-guid | cut -f1) - Need to check to see if the cs.identity is missing :
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"
Please see below for an example where we have the “Service Type: cs.identity”
If missing, the output will appear as blank.:
Below we can see the cs.identity returned :/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"
/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"cs.identity - If the cs.identity is missing or if the cis.identity is present, but are still getting the error "Compute manager value: "vCenter-FQDN"#012 is not enabled for auth server" the lsdoctor tool can be used to rebuild service registrations please refer Using the 'lsdoctor' Tool
- If you have any issue with the above commands, please open a support ticket with the VMware vCenter team.
Feedback
