Unable to register VMRS appliance to vCenter Server. "Error - A general system error occurred. Failed to register VRMS"
Article ID: 386948
Updated On:
Products
VMware Site Recovery Manager 8.x
VMware vCenter Server
Issue/Introduction
- When attempting to register a VMRS appliance to vCenter Server the following error is seen on the GUI:
"Error - A general system error occurred. Failed to register VRMS"
On the VMRS appliance /var/log/vmware/srm/drconfig.log similar entries to the following are seen:YYYY-MM-DDTHH:MM:SS.SSSZ info drconfig[03411] [SRM@6876 sub=ConfigureVrmsOp opID=########-59fb-####-839a-############-configure:84a6] Exiting ConfigureVrms YYYY-MM-DDTHH:MM:SS.SSSZ verbose drconfig[03411] [SRM@6876 sub=vmomi.soapStub[18] opID=########-59fb-####-839a-############-configure:84a6] Resetting stub adapter; <[N7Vmacore4Http3Ext15DrUserAgentImplE:0x00007feb400401b8], /lookupservice/sdk>, (null) YYY-MM-DDTHH:MM:SS.SSSZ error drconfig[03411] [SRM@6876 sub=ConfigureVrmsOp opID=########-59fb-####-839a-############-configure:84a6] Operation failed --> (vmodl.fault.SystemError) { --> faultCause = (vmodl.MethodFault) null, --> faultMessage = <unset>, --> reason = "Failed to register VRMS." --> msg = ""- On the vCenter Server SSOAdminserver.log (/var/log/VMware/sso/) where the VRMS appliance is being registered similar entries to the following are seen:
YYYY-MM-DDTHH:MM:SS.SSSZ INFO ssoAdminServer[105:pool-2-thread-11] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Find direct parent groupd for principal {Name: com.vmware.vr-########-aa67-####-b348-############, Domain: vsphere.local} YYYY-MM-DDTHH:MM:SS.SSSZ ERROR ssoAdminServer[105:pool-2-thread-11] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.IdentityManager] Failed to find registered external IDP user [com.vmware.vr-########-aa67-####-b348-############@vsphere.local] in tenant [vsphere.local] YYYY-MM-DDTHH:MM:SS.SSSZ ERROR ssoAdminServer[105:pool-2-thread-11] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.IdentityManager] Failed to find direct parent groups of principal [com.vmware.vr-7########-aa67-####-b348-############@vsphere.local] in tenant [vsphere.local] YYYY-MM-DDTHH:MM:SS.SSSZ ERROR ssoAdminServer[105:pool-2-thread-11] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.interop.ldap.NoSuchObjectLdapException: No such object\nLDAP error [code: 32]' com.vmware.identity.interop.ldap.NoSuchObjectLdapException: No such object YYYY-MM-DDTHH:MM:SS.SSSZ DEBUG ssoAdminServer[104:pool-2-thread-10] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider] findNestedParentGroups filter=(&(|(userPrincipalName=com.vmware.vr-########-aa67-####-b348-############@VSPHERE.LOCAL)(sAMAccountName=com.vmware.vr-########-aa67-####-b348-############))(objectClass=user)) pid=com.vmware.vr-########-aa67-####-b348-############ YYYY-MM-DDTHH:MM:SS.SSSZ TRACE ssoAdminServer[104:pool-2-thread-10] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.provider.LdapConnectionPool] return connection - number of connections 0 with identity PooledLdapConnectionIdentity [tenantName=vsphere.local, [email protected], authType=SRP, useGCPort=false, connectionString=ldap://EXAMPLE_LDAP_URL:389] YYYY-MM-DDTHH:MM:SS.SSSZ TRACE ssoAdminServer[104:pool-2-thread-10] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.idm.server.provider.LdapConnectionPool] borrow connection - number of connections 1 with identity PooledLdapConnectionIdentity [tenantName=vsphere.local, [email protected], authType=SRP, useGCPort=false, connectionString=ldap://EXAMPLE_LDAP_URL:389] YYYY-MM-DDTHH:MM:SS.SSSZ DEBUG ssoAdminServer[104:pool-2-thread-10] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 32 YYYY-MM-DDTHH:MM:SS.SSSZ DEBUG ssoAdminServer[104:pool-2-thread-10] [OpId=########-4335-####-b7a3-############] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] NoSuchObjectLdapException when calling ldap_search_s: base=cn=ExternalIDPUsers, DC=vsphere,DC=local, scope=0, filter=(objectClass=group), attrs=[cn, member, null], attrsonly=0 com.vmware.identity.interop.ldap.NoSuchObjectLdapException: No such object
Environment
VMware VMRS Appliance
VMware vCenter Server Appliance
Cause
This can happen when there is no entry for "ExternalIDPUsers" in VMDIR.
ExternalIDPUsers is a Well-known external IDP users' group, which registers external IDP users as guests and is required when registering VMRS appliance to vCenter server.
Resolution
Ensure you have a valid backup of the vCenter Server before moving forward. Do not skip this step.
To verify you are hitting this issue you should first verify if the ExternalIDPUsers group is missing or not.
You can do this in two ways:
- Jxplorer
- ldapsearch command on the vCenter Server
ExternalIDPUsers seen with jxplorer:
Using ldapsearch command
- connect to vCenter using SSH
- run the following command to verify ExternalIDPUsers group exists:
# /usr/bin/ldapsearch -LLL -h localhost -p 389 -b "dc=vsphere,dc=local" -s sub -D "cn=administrator,cn=users,dc=vsphere,dc=local" -o ldif-wrap=no -w "SSO_ADMIN_PASSWORD" > /tmp/ldif.ldif && grep "CN=ExternalIDPUsers" /tmp/ldif.ldif
NOTES: All the ldap commands in this KB assume that the SSO Domain Name is "vsphere,dc=local", change the ldap commands to reflect your SSO domain name if not default. If the above ldap command returns to the prompt witout any output then the ExternalIDPUsers users group was not detected. You should still do a manual check in the ldif file which is saved as /tmp/ldif.ldif
Once you have verified the existence of the ExternalIDPUsers group (and if it is missing) you have two options to recreate the missing group:
- Jxplorer
- ldapmodify command on the vCenter Server
Adding ExternalIDPUsers with jxplorer:
- Create a text file on the desktop where you have jxplorer installed and copy/paste the following into it and save it as a .ldif:
version: 1 dn: CN=ExternalIDPUsers,dc=vsphere,dc=local objectClass: group objectClass: top cn: ExternalIDPUsers description: Well-known external IDP users' group, which registers external IDP users as guests. groupType: 2 name: ExternalIDPUsers sAMAccountName: ExternalIDPUsers
NOTE: Change dc=vsphere,dc=local to your SSO domain name is not default.
- Save this file and connect the to the vCenter Server with jxplorer.
- Select the "ldif" tab on jxplorer and select "import file" and navigate to the .ldif file created in previous step and import.
Adding ExternalIDPUsers with ldapmodify:
- SSH to the vCenter Server and create a file /tmp/addldif and copy/paste the following into it:
NOTE: Change dc=vsphere,dc=local to your SSO domain name is not default.version: 1 dn: CN=ExternalIDPUsers,dc=vsphere,dc=local objectClass: group objectClass: top cn: ExternalIDPUsers description: Well-known external IDP users' group, which registers external IDP users as guests. groupType: 2 name: ExternalIDPUsers sAMAccountName: ExternalIDPUsers
- Run the following command to add the missing ExternalIDPUsers group:
# /opt/likewise/bin/ldapmodify -a -x -h localhost -p 389 -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W "SSO_ADMIN_PASSWORD -f /tmp/addldif
NOTE: Change dc=vsphere,dc=local to your SSO domain name is not default.
- If the ldapmodify command was successful the following is printed to screen:
adding new entry "CN=ExternalIDPUsers,dc=vsphere,dc=local"
Feedback
Yes
No
Powered by
