Description:

After pointing EEM to authenticate with Active Directory, VAIM will send requested to EEM and EEM will forward requests to Active Directory. The errors/messages are generated because VAIM authenticated to native EEM using the sysuser account.

VAIM policy or agent deployments, the following errors may be displayed:

"The user initiating the deployment was not authorized to deploy to this host"

OR

"Error: no profiles were successfully requested"

The Rainier.log may contain the following error:

Can't deliver policies. Receiving EE_AUTHFAILED Authentication Failed

Solution:

Note: The below steps assume EEM is configured to point to Active Directory. If you have not already done so, please review Change the System User Password for Active Directory Security section in the manual.

Note: :For CA EEM usernames and passwords, the following additional characters are not supported: Ampersand , double quotation mark ("), backtick (`), single quotation mark ('), less than (<), greater than (>), percent (%), semicolon (, colon (, pipe (|), back slash (\), forward slash (/), grave accented letters (`), acute accented letters ('), and other similarly diacritical accented letters.

For installation destination paths, the following additional characters are not supported: exclamation point , left square bracket ([), right square bracket (]), left parenthesis '(', right parenthesis ')', and semicolon (.

1. Configure VAIM sys_service account with an Active Directory user.
   
   
   1. Navigate to Start, Programs, CA, CA Virtual Assurance, select CA Virtual Assurance Command Prompt.
      The command prompt window appears.
      
      
   2. Run the below command:
      dpmutil -set -sysuser
      
      
   3. Enter your current EEM username and password for authentication.
      
      
   4. Use an EiamAdmin or equivalent is required (not an Active Directory user).
      
      
   5. Complete the command by providing proper Active Directory credentials.
      Note : Please specify Active Directory Username such as domainusername and NOT [email protected] or domain\domainusername. Depending on the method Active Directory is configured to allow authentication request, you may need to use [email protected] or domain\domainusername instead of entering only the domainusername.
      
      

      <Please see attached file for image>

      
      
      
   6. Validate that the changes in step b are successful:
      dpmutil -get -sysuser
      Provide the same credentials that was used in step 2c.
      
      
2. Perform this step if Microsoft SQL Database is not on the same host as VAIM and VAIM is configured to connect to SQL with Windows authentication.
   Modify the "Log On As" permissions for the following VAIM Manager services, CAAIPTomcat, CAAIPApache, CA SM Domain Server, CA SM Distribution Server
   Note: The procedure below will stop VAIM Manager.
   
   
   1. Stop the below services in order:
      
      
      1. CAAIPTomcat
         
         
      2. CAAIPApache
         
         
      3. CA SM Distribution Server
         
         
      4. CA SM Domain Server
         
         
   2. Modify the above services with the Active Directory User defined in Step 2c (domainusername).
      Right click on each service -> select Properties -> select the Log On Tab -> Click This Account Radio button -> Enter the Active Directory user and password.
      
      
   3. After modifying the Log On account for the four Services, start the services in the following order:
      
      
      
      1. CA SM Domain Server
         
         
      2. CA SM Distribution Server
         
         
      3. CAAIPApache
         
         
      4. CAAIPTomcat
         
         Command to validate VAIM is configured with Windows Authentication or SA
         
         

         <Please see attached file for image>

         
         
         
3. Configure Active Directory user to allow Log In access into VAIM
   
   
   1. Login to VAIM and go to Administration -> Select User Groups Tab
      
      
   2. Select the AIPAdmins group and then click search.
      
      
   3. Validate the Active Directory domainusername is part of the AIPAdmins User group.
      
      

      <Please see attached file for image>

      
      
      
   4. Please add all users you want to give access to VAIM.
      If a user is not part of AIPAdmins or AIPUsers, they cannot log into VAIM and will receive error:
      
      

      <Please see attached file for image>

      
      
      
4. Test a Policy or Software deployment. It should now be successful. If you continue to have issues, please open an issue with CA Support. Please include the following information with your request:
   
   
   1. Screenshot of error you receive
      
      
   2. \Program Files\CA\VirtualAssurance\apache\Rainer.log