Fix legacy SYSTEM-DOMAIN artifacts in vCenter Servers upgraded from vCenter Server 5.1+
search cancel

Fix legacy SYSTEM-DOMAIN artifacts in vCenter Servers upgraded from vCenter Server 5.1+

book

Article ID: 408176

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When accessing an environment, both SYSTEM-DOMAIN and vsphere.local are present:

Environment

VMware vCenter Server 7.0
VMware vCenter Server 8.0
VMware vCenter Server 9.0

Cause

This is due to a SYSTEM-DOMAIN default identity source that was not removed during the migration from 5.1 to 5.5 and above.

Resolution

  1. Take a powered off snapshot of the vCenter appliance before performing the activity (if the vCenter server is in linked mode, take a powered off snapshot of all the linked vCenter servers).
  2. Download the attached script (update_system_domain.py).
  3. Upload the attached script to the vCenter Server Appliance, or copy its contents to a text file on the appliance using vi.
    Note: WinSCP can be used to upload the script to the VCSA. For additional information, see How to upload or download files to or from vCenter and ESXi hosts.
    From the same directory location as the script, run the following command to check for the legacy references (provide the password for [email protected] (e.g [email protected]) here when prompted:
    root@<vcenter_name> [ ~ ]# python update_system_domain.py --dryrun

This tool checks for and removes any references to legacy identity provider references to 'SYSTEM-DOMAIN' left over from vCenter Server 5.1.  This can cause problems with user authentication.  For more information, see below KB: https://knowledge.broadcom.com/external/article/408176

Provide password for administrator@<sso domain here, e.g. vsphere.local>:
YYYY-MM-DDTHH:MM:SS - INFO - Checking for legacy identity provider references.
YYYY-MM-DDTHH:MM:SS - WARNING - Found bad identity provider attributes: ['vmwSTSUpnSuffixes', 'vmwSTSAlias']
YYYY-MM-DDTHH:MM:SS - WARNING - Found SYSTEM-DOMAIN DN!
YYYY-MM-DDTHH:MM:SS - WARNING - Found the following bad registry keys: ['"SPSystemDomainAlias"', '"SPSystemDomainBackCompat"', '"SPSystemDomainUserAliases"']
YYYY-MM-DDTHH:MM:SS - WARNING - Problems found!  Please run this tool without the dry-run option to fix them.

     

    If problems are found, run the following command to remove the references (When prompted, enter the password for the Single Sign-On (SSO) administrator (e.g., [email protected]):
    root@<vcenter_name> [ ~ ]# python update_system_domain.py

This tool checks for and removes any references to legacy identity provider references to 'SYSTEM-DOMAIN' left over from vCenter Server 5.1.  This can cause problems with user authentication.  For more information, see below KB: https://knowledge.broadcom.com/external/article/408176

Provide password for administrator@<sso domain here, e.g. vsphere.local>:

    WARNING!  This script makes permanent changes.
    Please ensure you have a backup or supported snapshot of this vCenter and all other
    vCenters in the ELM group (see https://knowledge.broadcom.com/external/article/313886).

    Would you like to continue?[Yy|Nn]: y

YYYY-MM-DDTHH:MM:SS - WARNING - Found bad identity provider attributes: ['vmwSTSUpnSuffixes', 'vmwSTSAlias']
YYYY-MM-DDTHH:MM:SS - INFO - Deleting bad attr: vmwSTSUpnSuffixes
YYYY-MM-DDTHH:MM:SS - INFO - Success!
YYYY-MM-DDTHH:MM:SS - INFO - Deleting bad attr: vmwSTSAlias
YYYY-MM-DDTHH:MM:SS - INFO - Success!
YYYY-MM-DDTHH:MM:SS - WARNING - Found SYSTEM-DOMAIN DN!
YYYY-MM-DDTHH:MM:SS - INFO - Deleting bad SYSTEM-DOMAIN DN
YYYY-MM-DDTHH:MM:SS - INFO - Success!
YYYY-MM-DDTHH:MM:SS - WARNING - Found the following bad registry keys: ['"SPSystemDomainAlias"', '"SPSystemDomainBackCompat"', '"SPSystemDomainUserAliases"']
YYYY-MM-DDTHH:MM:SS - INFO - Deleted "SPSystemDomainAlias"
YYYY-MM-DDTHH:MM:SS - INFO - Deleted "SPSystemDomainBackCompat"
YYYY-MM-DDTHH:MM:SS - INFO - Deleted "SPSystemDomainUserAliases"
YYYY-MM-DDTHH:MM:SS - INFO - Checking for legacy identity provider references.
YYYY-MM-DDTHH:MM:SS - INFO - No bad identity provider attributes found.
YYYY-MM-DDTHH:MM:SS - INFO - No SYSTEM-DOMAIN DN found.
YYYY-MM-DDTHH:MM:SS - INFO - No bad registry keys found.
YYYY-MM-DDTHH:MM:SS - INFO - No offending entries found.

     

  4. Restart all services: 
    service-control --stop --all && service-control --start --all

Additional Information

Attachment details:

filename: update_system_domain.py

SHA256 checksum:  1ed6986268f62783d1553be5e8a82f6aeb122ebcf349831298a765923123e0bc

MD5 checksum: e898378d95af5b6bcf274840103e2ecb

Attachments

update_system_domain.py get_app
Powered by Wolken Software