AD/LDAP credentials do not always work in Aria Operations and the integration must be revalidated or refreshed to import the certificate
search cancel

AD/LDAP credentials do not always work in Aria Operations and the integration must be revalidated or refreshed to import the certificate

book

Article ID: 381102

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Logging into Aria Operations using AD/LDAP account fails intermittently.
  • Using the nslookup command against the FQDN used in the AD integration, multiple IP addresses are returned.
  • Test the AD integration and Accept/Save the certificate presented allows logins to work for a limited time.
    • After some time the system loses the certificate connection with the Domain Controller, DC, and then LDAP login stops working.
  • The UI shows the following error message: "Login server is unreachable"
  • Analytics logs (/storage/vcops/log/analytics-*.log) show: javax.net.ssl.SSLHandshakeException: PKIX path building failed... unable to find valid certification path to requested target.

Environment

Aria Operations 8.x

Cause

The issue is caused by an incomplete SSL certificate chain. Aria Operations fails to build a valid trust path because the Root or Intermediate (Sub-Root) CA certificates are missing from its internal trusted certificate store.

Resolution

If the FQDN used in the Aria Operations Active Directory integration resolves to multiple IP addresses, it is required that the certs presented by each Domain Controller are imported into Aria Operations manually.

Or if this is not possible, then the Aria Operations Active Directory integration must be configured to contact a single Domain Controller instead.

Additionally, the following steps can also be followed to address the issue:

 

  1. Obtain the Root and Sub-Root (Intermediate) CA certificates for your Active Directory environment.

  2. Log in to VMware Aria Operations.

  3. Navigate to Administration > Control Panel > Trusted Certificates.

  4. Click Import and upload the Root CA certificate. Repeat for any Sub-Root certificates.

  5. Navigate to Administration > Authentication Sources.

  6. Edit the AD integration. Ensure the Host FQDN field uses the correct FQDN.

  7. Click Test Connection. Accept any newly prompted leaf certificates and Save the configuration. Test the connection multiple times to accept all the leaf certificates if there are multple Domain Controllers.

 

Powered by Wolken Software