vCenter Server VPXD service crashes frequently due to identity source domain controller requiring stronger authentication
search cancel

vCenter Server VPXD service crashes frequently due to identity source domain controller requiring stronger authentication

book

Article ID: 427399

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter Server VPXD service crashes frequently and creates core.vpxd-worker.XXXXX dumps in /var/core directory 
  • A reboot of the vCenter Server brings back the VPXD service 
  • Identity source is configured with AD/LDAP on port 389 with the domain name listed as the LDAP URL 
  • The domain name has many other domain controllers behind it 
  • vmware-identity-sts.log shows:
    WARN sts[52:tomcat-http--14] [CorId=<ID>] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 8                                                                                                                                                                      
    WARN sts[52:tomcat-http--14] [CorId=<ID>] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldap://<URL>, <username>]
    ERROR sts[52:tomcat-http--14] [CorId=<ID>] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldap://<URL>] because [com.vmware.identity.interop.ldap.StrongAuthRequiredLdapException] with reason [Strong(er) authentication required] therefore will try to attempt to use secondary URIs, if applicable      
    ERROR sts[52:tomcat-http--14] [CorId=fe5a75f5-72ed-4aa0-a759-ccdea53c3aae] [com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider] Failed to retrieve upnSuffixes in AD over LDAP provider '<Domain>'                                                                                                                                                                               
    com.vmware.identity.interop.ldap.StrongAuthRequiredLdapException: Strong(er) authentication required  

Environment

VMware vCenter Server 8.x

Cause

  • As the domain name has many domain controller behind it, some may be configured to accept secure connections only i.e. to be configured over LDAP port 636 
  • The identity source on the vCenter Server is configured with LDAP port 389 without a certificate 
  • The timeouts caused by external AD communication cause VPXD to crash 

Resolution

  • Investigate on AD side if any domain controllers are configured to use secure connections only 
  • Re-create the identity source to use one of the domain controller URLs directly over LDAP or LDAPS if secure connections only are configured 
Powered by Wolken Software