SRM Recovery Group Creation Fails with "Error while fetching ActAsToken" due to vCenter 9.0 Interoperability
search cancel

SRM Recovery Group Creation Fails with "Error while fetching ActAsToken" due to vCenter 9.0 Interoperability

book

Article ID: 438648

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms

  • Users are unable to protect virtual machines or configure new protection groups in Site Recovery Manager (SRM).
  • On the SRM DR page UI this error is displayed: Internal error: Received unexpected exception during prepare phase.
  • SRM site pairing may appear connected, but storage-related operations fail.
  • Configured  Protection groups in SRM display an error - "There are configuration issues"
  • VM protection status in the Protection Group shows - "Not configured"
  • The following error is displayed in the the VMware Live Site Recovery DR page UI ( URL: https://SRM-IP or VR-IP/dr)

SRM Server cannot connect to Unknown Service at https:####:443/sms/sdk. Access to perform the operation was denied.

 

  • The /var/log/vmware/srm/vmware-dr.log file of the VLR appliance contains these entries:

fault: (vmodl.fault.SecurityError)

"Received SOAP response fault from [<SSL(<io_obj ...>), /pbm/sdk>]: fetchResourceType --> Error while fetching ActAsToken"

N2Dr5Fault22PbmConnectionDownFault9ExceptionE(Fault cause: dr.fault.PbmConnectionDownFault

  • In the sps.log file  of the vCenter Server contains these entries:

"Failed to acquire delegate HoK token"

"com.vmware.vim.sso.client.exception.InvalidTokenRequestException: Request is invalid: ns0:InvalidRequest: Cannot continue delegation chain"

"VpxdException: Error while fetching ActAsToken"

Environment

  • vCenter Server 9.0
  • VMware Site Recovery Manager 9.0.2
  • VMware vSphere Replication 9.0.2

Cause

This issue occurs due to an unsupported interoperability configuration. Running SRM/vSphere Replication 9.0.2 with vCenter Server 9.0 is not a supported state.

The version mismatch causes a breakdown in the SAML token delegation chain. The vCenter Single Sign-On (SSO) service rejects delegation requests from the SRM solution user, preventing the acquisition of the ActAsToken. Without this token, SRM cannot authenticate with the vCenter Storage Profile Service (SPS/PBM), which is required to manage storage-based protection groups.

Resolution

To resolve this issue, the environment must be brought into a supported interoperability state.

  1. Upgrade SRM and vSphere Replication: Upgrade both Site Recovery Manager and vSphere Replication appliances to version 9.0.5 on both the protected and recovery sites.
  2. Converge Appliances: It is recommended to follow the convergence path to the VMware Live Recovery (VLR) 9.0.5 appliance model. Refer to Steps to Converge to VMware Live Recovery Appliance for convergence steps.
  3. Reconfigure the SRM Appliance: Once the upgrade to 9.0.5 is complete, perform a reconfiguration of the appliance to refresh the solution user registration:
    • Log in to the SRM Appliance Management Interface (AMI) at https://<srm-appliance-address>:5480.
    • Navigate to the Summary page.
    • Click Reconfigure and complete the wizard to re-establish the trust relationship and delegation path within the vCenter 9.0 SSO domain.
  4. Verify Services: Ensure the vmware-sps service is running on the vCenter Server and that the SRM site pair is fully connected.

Additional Information

Related Information

Powered by Wolken Software