Error "Failed to fetch certificate from Microsoft CA with Invalid request found" while configuring Microsoft CA in SDDC Manager

search cancel

Error "Failed to fetch certificate from Microsoft CA with Invalid request found" while configuring Microsoft CA in SDDC Manager

book

Article ID: 380757

calendar_today

Updated On:

Products

VMware vCenter Server VMware Cloud Foundation

Issue/Introduction

The user account under "user name" should be AD account with domain user membership, the below error message is for "local account".

/var/log/vmware/vcf/operationsmanager/operationsmanager.log:

<P ID=locPageTitle> <B> Error </B>
<Table Border=0 CellSpacing=0 CellPadding=0 Width=100%><TR><TD BgColor=#008080><Img Src="certspc.gif" Alt="" Height=2 Width=1></TD></TR></Table>
<P ID=locReqFailed> Your request failed. An error occurred while the server was processing your request.
</P>
:
:
<DT ID=locComInfoLabel><Font Size=-1><B>COM Error Info:</B></Font></DT><DD>
CCertRequest::Submit: No mapping between account names and security IDs was done. 0x80070534 (WIN32: 1332 ERROR_NONE_MAPPED)
:
:
YYYY-MM-DDTHH:MM:SS.MSZ ERROR [vcf_om,670ee967896654fa352d25f8735623d5,4056] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-11] Generate certificate operation failed for vcsa.example.com, Failed to fetch certificate from Microsoft CA with Invalid request found..
com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: Failed to fetch certificate from Microsoft CA with Invalid request found..
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.fetchReqId(MicrosoftCaService.java:218)
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.generateSignedCertificate(MicrosoftCaService.java:243)
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.generateAndFetchCertificateChain(MicrosoftCaService.java:112)
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaPlugin.getCertificateChain(MicrosoftCaPlugin.java:40)

Environment

VMware Cloud Foundation 4.x

VMware Cloud Foundation 5.x

Cause

User name configured here is of type local. Per Assign Certificate Management Privileges to the SDDC Manager Service Account the user account should be an Active Directory with Domain Users membership.

Resolution

Create a user account in Active Directory with Domain Users membership.

Additional Information

https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/map-for-administering-vcf-5-2/certificate-management-admin/configure-vmware-cloud-foundation-to-use-microsoft-ca-signed-certificates-admin/prepare-your-certificate-authority-to-enable-sddc-manger-to-manage-certificates-admin/assign-certificate-management-privileges-to-the-sddc-manager-service-account-admin.html

Feedback

thumb_up Yes

thumb_down No