Error "Certificate Generation has failed." received when trying to generate signed certificates with Microsoft CA configured in SDDC Manager
search cancel

Error "Certificate Generation has failed." received when trying to generate signed certificates with Microsoft CA configured in SDDC Manager

book

Article ID: 386144

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  1. Creating the CSR succeeds without any issue
  2. However when try to generate the new certificate it errors out - "Certificate Generation has failed."
  3. Logging into the MicroSoft CA server with the credentials used for the CA configuration in the SDDC succeeds.
  4. However examining the /var/log/vmware/vcf/operationsmanager/operationsmanager.log reveals an issue with the credentials for the AD user used to authenticate the CA:

2025-01-15T06:26:48.852+0000 ERROR [vcf_om,678755286d03f8a05331ad3fb59cac0d,e79f] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-27] Generate ce
rtificate operation failed for sitmgmt01nsx01a.mgmt.internal, java.lang.IllegalStateException: AuthScheme is null
com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: java.lang.IllegalStateException: AuthScheme is null
        at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.generateSignedCertificate(MicrosoftCaService.java:269)
        at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.generateAndFetchCertificateChain(MicrosoftCaService.java:112)
        at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaPlugin.getCertificateChain(MicrosoftCaPlugin.java:40)
        at com.vmware.vcf.certmgmt.service.orch.impl.CertificateOperationOrchestratorImpl.generateCertificate(CertificateOpe

 

Note the 'AuthScheme is null' error - this is a string received from the AD.

This suggests that the user credentials do not meet the requirements for authentication.

Environment

VMware Cloud Foundation 5.2

Cause

This issue can happen for various reasons.

  1. The account is locked on the AD side
  2. Windows Authentication is enabled - Authentication should be Basic only with an AuthScheme  set (realm):

         e.g. Server: Microsoft-IIS/10.0
         Www-Authenticate: Basic realm="<server_FQDN>"

      3. Note also that certain special characters ( *, $, and @) in the user password can cause issues with AD accounts.

 

Resolution

  1. Ensure that the user account meets all AD auth requirement
  2. Ensure that the user account meets all VCF by Broadcom requirements
  3. Please see Assign Certificate Management Privileges to the SDDC Manager Service Account for details on the least-privilege model recommended by VCF .
Powered by Wolken Software