I was recently performing configuration on vRLI and came across the issue below.
While integrating the Loginsight with WS1 access for authentication, I have come across a strange issue when trying to integrate vRLI with WS1 for authentication using the service account (AD user).
I have assigned the super admin privilege to the user on WS1 and vRLI but I am getting the "incorrect username and password" error when doing the validation. Still, I am able to login to vRLI UI with the same service account.
Seeing below in runtime.log, though I am able to login still the log message says wrong credentials
[2023-05-18 15:09:46.429+0000] ["https-openssl-apr-443-exec-7"/172.26.135.42 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Sending 'POST' request to URL : https://vcf-lreg-wsa01.corp.local:443/SAAS/API/1.0/REST/auth/system/login]
[2023-05-18 15:09:46.452+0000] ["https-openssl-apr-443-exec-7"/172.26.135.42 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Response Code : 401]
[2023-05-18 15:09:46.452+0000] ["https-openssl-apr-443-exec-7"/172.26.135.42 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Processed POST request to https://vcf-lreg-wsa01.corp.local:443/SAAS/API/1.0/REST/auth/system/login in 23msec]
[2023-05-18 15:09:46.452+0000] ["https-openssl-apr-443-exec-7"/172.26.135.42 INFO] [com.vmware.loginsight.aaa.vidm.VIDMConnector] [VMware Identity Manager wrong credentials provided. hostname:vcf-lreg-wsa01.corp.local, tenant:null, username:svc-vrli-wsoa@corp.local. Authentication fails: wrong credential provided, or the user is not the tenant admin. :: Invalid credentials or Password locked. Received unexpected response from VMware Identity Manager instance. Domain : vcf-lreg-wsa01.corp.local. ]ui_runtime.log
[2023-05-18 14:52:05.423+0000] ["https-openssl-apr-443-exec-2"/172.26.135.42 INFO] [com.vmware.loginsight.web.actions.misc.LoggerActionBean] [Submit form. Action: https://vcf-vrli01.corp.local/admin/auth, Event Name: testVIDM]
[2023-05-18 14:52:05.454+0000] ["https-openssl-apr-443-exec-8"/172.26.135.42 INFO] [com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean] [Unable to login to VMware Identity Manager. Wrong credentials]
com.vmware.loginsight.aaa.vidm.exception.CredentialsException: Authentication fails: wrong credential provided, or the user is not the tenant admin. :: Invalid credentials or Password locked. Received unexpected response from VMware Identity Manager instance. Domain : vcf-lreg-wsa01.corp.local.
at com.vmware.loginsight.aaa.vidm.VIDMConnector.vIDMLogin(VIDMConnector.java:72) ~[auth-lib.jar:?]
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.mergeVIDMValues(AuthConfigurationActionBean.java:441) ~[classes/:?]
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.validateVIDM(AuthConfigurationActionBean.java:679) [classes/:?]
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.testVIDM(AuthConfigurationActionBean.java:376) [classes/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_351]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_351]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_351]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_351]As a troubleshooting step did verify the cacert store using this command ( /usr/java/jre-vmware/bin/keytool -list -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit) on the vRLI appliance and the castore isn't corrupt, I was able to retrieve the cert list using the above command shared and also i was able to view the certs from the management page.
The user (svc-vrli-wsoa) is a AD user created on AD server and was added when AD was integrated with vRLI and with WS1, the user was given superadmin privilege
Later, post-further research was able to identify that integration with VMware Workspace ONE Access can be done only with local users. Active Directory users who are assigned a tenant admin role in VMware Workspace ONE Access are not eligible for integration with VMware Aria Operations for Logs. Document reference.
Comments