When enabling Trust for a Compute manager in NSX the following ERROR is generated "Compute manager value: vCenter_FQDN” is not enabled for auth server. (Error code:90001)"
search cancel

When enabling Trust for a Compute manager in NSX the following ERROR is generated "Compute manager value: vCenter_FQDN” is not enabled for auth server. (Error code:90001)"

book

Article ID: 375169

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

  • When enabling trust for a compute manager, you encounter the following message.

  • In the  NSX-T manager  you see similar entries.
[var/log/cm-inventory/cm-inventory.log]

2024-11-08T02:13:39.833Z  WARN http-nio-127.0.0.1-7443-exec-424 VcPlugin 11904 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="0f317bfc-####-####-####-2b22ff3ce5f9" subcomp="cm-inventory" username="admin"] No com.vmware.cis.cs.identity.openidconnect endpoint found for VC "vCenter_FQDN"
2024-11-08T02:13:39.833Z ERROR http-nio-127.0.0.1-7443-exec-33611 ComputeManagerServiceImpl 4626 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP90001" level="ERROR" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] Compute manager value: "vCenter_FQDN"  is not enabled for auth server


[var/log/syslog]

2024-11-08T02:13:39.833Z #####nsxt#### NSX 4626 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] No com.vmware.cis.cs.identity.openidconnect endpoint found for VC "vCenter-FQDN"
2024-11-08T02:13:39.833Z #####nsxt#### NSX 4626 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP90001" level="ERROR" reqId="302116d7-####-####-####-7a60f4716266" subcomp="cm-inventory" username="admin"] Compute manager value: "vCenter-FQDN"#012 is not enabled for auth server

 

Environment

VMware NSX

VMware NSX-T Data Center

Cause

The 'cs.identity' service registration has been removed from the vCenter Lookup Service, which is required by NSX to establish trust.

Resolution

Workaround to the issue:

Perform below steps on the vCenter Appliance to resolve this issue :

On the affected vCenter where we are enabling trust. 

  1. We need to create a variable to determine the NODE ID of the affected vCenter 

    NODE=$(cat /etc/vmware/install-defaults/vmdir.ldu-guid | cut -f1)

  2. Need to check to see if the cs.identity is missing :

    /usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert  --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"

    Please see below for an example where we have the “Service Type: cs.identity”

    If missing, the output will appear as blank.:

    /usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert  --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"

    Below we can see the cs.identity returned :

    /usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk --node $NODE --type cs.identity --no-check-cert  --ep-type com.vmware.cis.cs.identity.idpprovisioning 2>/dev/null | grep "Service Type: cs.identity"

    cs.identity

  3. If the  cs.identity is missing the lsdoctor tool can be used to rebuild service registrations please refer Using the 'lsdoctor' Tool

  4. If you have any issue with the above commands please open a support ticket with the VMware vCenter team .
Powered by Wolken Software