Unable to generate vCenter certificate from SDDC via Microsoft CA because it fails with "Failed to fetch certificate from Microsoft CA with Invalid request found"
search cancel

Unable to generate vCenter certificate from SDDC via Microsoft CA because it fails with "Failed to fetch certificate from Microsoft CA with Invalid request found"

book

Article ID: 424128

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

The SDDC Manager failed to generate a signed certificate from the Microsoft Certificate Authority (CA). Despite Basic Authentication being functional via manual curl validation, the internal CCertRequest::Submit process returned a Win32 error.

From var/log/vmware/vcf/operations-manager/operations-manager log, it fails with a WIN:32 ERROR_NOT_SUPPORTED error 

<DT ID=locResultLabel><Font Size =- 1><B>Result :< /B></Font></DT><DD>
The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)

</DD>

<DT ID=locComInfoLabel><Font Size =- 1><B>COM Error Info :< /B></Font></DT><DD>
CCertRequest :: Submit: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)

</DD>

<DT ID=locLastStatLabel><Font Size =- 1><B>LastStatus :< /B></Font></DT><DD>
The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)

YYYY-MM-DDTHH:MM:SS.269+0000 ERROR [vcf_om,69300c36b6d8cc8c86a3d5227e0fb3cf,9e41] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl, om-exec-27] Generate certificate operation failed for ######, Failed to fetch certificate from Microsoft CA with Invalid request found ..
com. vmware. vcf.certmgmt.common.exception. CertificateManagementException: Failed to fetch certificate from Microsoft CA with Invalid request found ..
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.fetchReqId(MicrosoftCaService.java: 218)
at com.vmware. vcf.certmgmt.ca.plugin.MicrosoftCaService.generateSignedCertificate(MicrosoftCaService.java: 243)
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.generateAndFetchCertificateChain(MicrosoftCaService.java:112)
at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaPlugin.getCertificateChain(MicrosoftCaPlugin.java:40)
at com.vmware.vcf.certmgmt.service.orch. impl.CertificateOperationOrchestratorImpl.generateCertificate(CertificateOperationOrchestratorImpl.java:1459)
at com. vmware.vcf.certmgmt. service. orch. impl.CertificateOperationOrchestratorImpl. lambda$createCertificateOperationTask$14(CertificateOperationOrchestratorImpl.java:418)
at java.base/java.util.concurrent.CompletableFuture$UniRun.tryFire(CompletableFuture. java: 787)
at java.base/java. util.concurrent. CompletableFuture$Completion.run(CompletableFuture.java:482)
at com.vmware.vcf.common.tracing. TraceRunnable.run(TraceRunnable. java:59)
at java.base/java. util.concurrent. ThreadPoolExecutor.runWorker(ThreadPoolExecutor. java:1136)
at java.base/java. util.concurrent. ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java:635)
at java.base/java.lang. Thread.run(Thread.java:840)

YYYY-MM-DDTHH:MM:SS..124+0000 DEBUG [vcf_om,########################,f38e] [c.v.v.c.s.f.i.CertificateOperationsFacadeImpl,http-nio-127.0.0.1-7300-exec-7] DomainCertificateOperation:
{"workflowId":"############","domainName":"########","operationType":"GENERATE_CERTIFICATE","operationStatus":" ***** ","resourceCertificateOperations": [{"resource
": {"hostName":"#######","resourceType":"vcenter", "master": false},"result": {"status":"FAILED", "message":"{\"code\":\"CERTIFICATE_GEN_FAILED\", \"args\": [\" ***** \", \"Failed to fetch certificate from Microsoft CA with Invalid request found .. \"]}"},"creationTimestamp":##########, "updateTimestamp": ##########}], "retryOperation":false}

Validated using the folloiwng command that Basic Authentication is enabled. 

curl -iksu '<username>:<password>' https://<server>/certsrv/ | grep HTTP/

Environment

VCF 5.x/9.x

Cause

  • Although VCF uses Basic Authentication to access the Microsoft CA web enrollment endpoint, the CA still performs backend identity validation against Active Directory. If NTLM is restricted, this validation may fail, resulting in the CA returning 0x80070032 (ERROR_NOT_SUPPORTED).

Resolution

To restore certificate operations, one of the two following configurations must be applied to the Microsoft CA via Group Policy (GPO) or Local Security Policy:

Option A: Remove NTLM Restrictions 

Set the following three policies to "Not Defined":

    • Network Security: Restrict NTLM: Incoming NTLM traffic

    • Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

    • Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication

Option B: Targeted Hardening 

If NTLM blocking is required for compliance, configure these specific settings to allow SDDC Manager communication:

    • Add remote server exceptions for NTLM authentication: Add the SDDC Manager IP address to the exception list.

    • Incoming NTLM traffic: Set to "Deny all accounts" (The exception above will override this for the SDDC Manager).

    • Outgoing NTLM traffic to remote servers: Set to "Allow all".

 

Additional Information

Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

 

Powered by Wolken Software