Login failures, Intermittent Provisioning or Day2 Action failure Issues when accessing or using Aria Automation and Orchestrator
search cancel

Login failures, Intermittent Provisioning or Day2 Action failure Issues when accessing or using Aria Automation and Orchestrator

book

Article ID: 401334

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Root CA certificate has been updated on Domain Controllers in the environment.
  • Intermittent Errors in workflows or REST calls in Aria Automation or Aria Automation Orchestrator after the Root CA certificate has been updated
  • Intermittently, API calls to get the token from Aria Automation fail with errors similar to this: 
    "CLIENT_ERROR","status":"400 BAD_REQUEST","error":"Bad Request","serverMessage":"REST error received: {\n \"error\": \"invalid_grant\",\n \"error_description\": \"Invalid username or password\"\n}, status code: 400 BAD_REQUEST"}"
        Note: These are the same messages from this KB, but the calls are working sometimes: Unable to get refresh token to make API calls in Aria Automation
  • The AD Directory in vIDM has been configured to use a VIP with multiple Domain Controllers behind it.
  • Testing the Connection of the Bind account may intermittently fail with this error:
    "Problem connecting to directory: Host {0}, Reason - {1}" 
  • Users trying to log into Aria Automation Orchestrator you may receive the following error intermittently:
    ${backToLoginLabel}

Environment

Aria Automation (vRA) 8.x
Aria Automation Orchestrator 8.x

Cause

The Root CA certificate has not been replaced on all available Domain Controllers behind the VIP configured for the Directory 

Note: It is not a supported configuration to have different Root CA certificates on Domain Controllers behind a single VIP in the Directory Connection.

 

Resolution

Replace the Root CA on the remaining Domain Controllers that the VIP points to and configure the new Root CA in the Directory in vIDM as per the documentation: Configuring Active Directory Connection

Workaround:

  1. To work around the issue, you can point the Directory Connection to a single working server instead of using the VIP address for the domain using the directions here: Configuring Active Directory Connection
  2. You can enter the FQDN of Individual Domain Controllers that are behind the VIP and click "Test Connection" to see which ones are working.
  3. Click Save after you are able to successfully connect.
  4. Then after all Domain Controllers have the same Root CA certificate, it can be updated to use the VIP again. 
Powered by Wolken Software