Configuring the NSX SSO Lookup Service fails
search cancel

Configuring the NSX SSO Lookup Service fails

book

Article ID: 343361

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • Registering NSX Manager to vCenter Server fails
  • Configuring the SSO Lookup Service fails
  • You may see errors similar to:
    • nested exception is java.net.UnknownHostException: vc.local( xxxxxx.local )
    • NSX Management Service operation failed.( Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.sso.admin.exception.InternalError: General failure.
    • com.vmware.vshield.vsm.security.service.impl.SamlTokenSSOAuthenticator : SSO is not configured or initialized properly so cannot authenticate user.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.1.x

Cause

This issue occurs due to one of these reasons:

  • Connectivity issues between the NSX Manager to vCenter Server.
  • DNS is not configured properly on NSX Manager or vCenter Server.
  • Firewall may be blocking this connection.
  • Time is not synchronized between NSX Manager and vCenter Server.
  • If you use Single Sign-On (SSO) and you do not have administrative rights.

Resolution

To troubleshoot this issue:
  • Connectivity issue

    Verify the connectivity from the NSX Manager to the vCenter Server.

    Ping from NSX Manager to the vCenter Server with the IP address and FQDN to check for routing, or static, or default route in NSX Manager, using this command:

    # show ip route

    Where, Codes:
    K – kernel route,
    C – connected,
    S – static
    > – selected route,
    * – FIB route

    S>* 0.0.0.0/0 [1/0] via 192.x.x.x, mgmt

    C>* 192.x.x.x/24 is directly connected, mgmt
     
  • DNS Issue

    Verify if DNS is getting resolved from NSX Manager to vCenter Server.

    Ping from NSX Manager to vCenter Server with FQDN using this command:

    # ping <vcsa fqdn>

    You see similar output:

    PING <vcsa fqdn> (192.x.x.x): 56 data bytes

    64 bytes from 192.x.x.x: icmp_seq=0 ttl=64 time=0.576 ms

    If this does not work, navigate to Manage > Network > DNS Servers in NSX Manager and configure DNS.



     
  • Firewall Issue

    If you have firewall between NSX Manager and vCenter Server, verify it allows SSL on TCP/443. Also, allow ping to check connectivity.

    Ports required for NSX Communication

    These ports must be open on NSX Manager:
     

    Port Required for
    443/TCP
    • Downloading the OVA file on the ESXI host for deployment
    • Using REST APIs
    • Using the NSX Manager user interface
    80/TCP
    • Initiating connection to the vSphere SDK
    • Messaging between NSX Manager and NSX host modules
    1234/TCP Communication between NSX Controller and NSX Manager
    5671 Rabbit MQ (messaging bus technology)
    22/TCP Console access (SSH) to CLI.

    Note: By default, this port is closed.


     
  • NTP issue

    Verify that time is synchronized between vCenter Server and NSX Manager.

    To determine the time on the NSX Manager, run this command from the CLI:

    # show clock

    You see similar output:

    Tue Nov 18 06:51:34 UTC 2014

    To determine the time on the vCenter Server, run this command on the CLI:

     

    # date
     
    You see similar output:

    Tue Nov 18 06:51:31 UTC 2014

    Note: After configuration of Time settings, restart the appliance.
     
  • User permission issue

    To register to vCenter Server or SSO Lookup Service, you must have administrative rights.

    Try to work with default account:

    administrator user: [email protected]

  • Reconnect SSO by entering the credentials.



Additional Information