vCenter Server Appliance 通过 Web 界面配置向导在初始配置过程中加入 Active Directory 域时,可能出现此问题。配置后,相关 vCenter Server 和 vCenter Single Sign On 服务可能正常运行,但 Active Directory 不会作为标识源被找到。
解决办法:
执行以下操作之一。
重新启动 vCenter Server Appliance。
重新启动 vCenter Single Sign On,然后重新启动 vSphere Web Client 服务。
在vSphere Web Client 中单击 [日志浏览器] 后,会显示错误消息: 异常:https://<system-address>:12443/vmwb/logbrowser:未授权的访问 (Exception: https://<system-address>:12443/vmwb/logbrowser: Unauthorized access)。您直接替换默认 vCenter Single Sign On 服务器的 SSL 证书,或通过在 vCenter Server Appliance 中重新生成证书进行替换后,会出现此错误。
解决办法:
1.以 Single Sign On 管理员身份登录 vSphere Web Client。
2.导航到 [系统管理] > [登录和发现] > [配置],然后单击 [STS 证书] 选项卡。
3.单击 编辑。
4.选择 Single Sign On SSL 密钥库。
如果 Single Sign On 在 Windows 系统上运行,请选择以下文件:
C:\Program Files\VMware\Infrastructure\SSOServer\security\server-identity.jks(默认路径)
如果 Single Sign On 在 Linux (vCenter Server Appliance) 上运行,请选择以下文件:
/usr/lib/vmware-sso/security/server.jks(默认路径)
5.使用文本编辑器或浏览器打开 Single Sign On server.xml 文件。 ■在 Windows 上:
C:\Program Files\VMware\Infrastructure\SSOServer\conf\server.xml(默认路径)
在 Linux 上:
/usr/lib/vmware-sso/conf/server.xml(默认路径)
6.在 Connector 元素上搜索 keystorePass="..."。引号中的字符串是您的密码。
7.出现提示后在 vSphere Web Client 中输入密码。
8.仅选择所显示的链。
9.单击 [确定] 并再次输入密码。
10.重新启动以下服务:vSphere Web Client、vCenter Server、vCenter Inventory Service 和 VMware Log Browser。无需重新启动 Single Sign On。
vCenter Single Sign On 系统用户的默认密码策略规定密码在 365 天后过期。但是,用户的密码即将过期时,vCenter Single Sign On 不会发出警告。
解决办法:vCenter Single Sign On 管理员用户可以为 System-Domain 用户更改过期的密码。请求管理员重置您的密码。如果您是 Single Sign On 管理员用户,请使用 ssopass命令行工具重置密码。
在 Windows 上:
1.打开终端窗口,然后导航到 C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli
2.运行下列命令。
ssopass <username>
3.输入用户的当前密码,即使该密码已过期。
4.输入新密码,然后再次输入进行确认。
在 Linux (vCenter Server Appliance) 上:
1.打开终端窗口,然后导航到 /usr/lib/vmware-sso/bin。
2.运行下列命令。
./ssopass <username>
3.输入用户的当前密码,即使该密码已过期。
4.输入新密码,然后再次输入进行确认。
在 vCenter Server 中,Windows 2008、Windows 2008 R2 或 Windows 7 虚拟机的客户机自定义失败,并显示错误: 加载或搜索无人参与应答文件时 Windows 设置遇到内部错误 (Windows Setup encountered an internal error while loading or searching for an unattended answer file)。此问题会发生是因为在以下任何字段中,自定义规范包含下列任意字符 &、>、<、" 或 ':计算机名称、已注册的所有者名称或已注册的组织名称。
解决办法:
请勿为上述任何字段使用特殊字符。
参见193
故障状态
在ESXi 5.1的环境中,使用Windows 2003的操作系统,通过vClient中查看,“性能”面板页面无法显示,“Hardware status”页面不可见;在IE浏览器输入vCenter地址后,无法显示该页面,但在Win7、Windows 2008操作系统是正常的。
故障分析
To resolve this issue in Windows XP 64bit and Windows 2003, you must add these cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
For more information, see the Microsoft Knowledge Base article http://support.microsoft.com/kb/948963.However, this Microsoft hotfix does not apply to Windows XP 32bit.
To work around this issue in Windows XP 32bit:
Caution: VMware does not recommend or support this workaround. Use this at your own risk.
In the vCenter Server machine, goto %PROGRAM_FILES%\VMware\Infrastructure\tomcat\conf.
Open the server.xml file using a text editor.
Locate this XML element:
<Connector port="8443"...></Connector>
Modify the ciphers attribute similar to:
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
解决方法
微软网站下载补丁:(http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351382_CHS_i386_zip.exe)
安装后重启window2003,重启vCenter服务即可。
最新发布的VMwarevSphere5.1,vCenter增加了一个角色,叫做SSO,简称单点登陆,所有其它的服务,如vcenter server\web client\update manager等都需要连接到sso角色,所以安装VMwarevSpere vCenter 5.1,必须安装SSO,而且是第一个安装的角色。不然其它角色无法正常安装。
但目前的vsphere SSO还不是很稳定,当你重启SSO服务器,会发现SSO服务是正常运行,但vCenter服务就起不来了。官方的KB库里例出了下面几种可能会导致SSO重启后,vCenter 5.1 启动失败的情况,如下:
1. SSO服务器的主机名字改变,包含该主机加入域或退出域。
when updates are applied to the operatingsystem, the machine name changes, or the machine is added or removed from anActive Directory domain. These changes prevent the SSO server from startingand, as a result, vCenter Server does not start.
2. SSO服务器的硬件配置改变,如内存大小,CPU的个数,MAC地址等改变。
if you clone or change the parameters of avirtual machine where SSO is installed (such as the amount of RAM), the numberof CPUs, the MAC address, and SSO fails to start。
在VMware vCenter 5.1服务器上的vpxd.log日志上会看到如下的报错日志:
012-09-24T22:18:46.534-04:00[04584 info 'authvpxdMoSessionManager'] [SSO][SessionManagerMo::Init]Downloading STS Root certificates ...
2012-09-24T22:18:46.534-04:00 [04584 verbose'[SSO][SsoCertificateManagerImpl]'] [InitConfigManagementService]
2012-09-24T22:18:46.534-04:00 [04584 verbose'[SSO][SsoCertificateManagerImpl]'] [CreateAdminSsoServiceContent] Connectingto SSO Admin server ...
2012-09-24T22:18:46.534-04:00 [04584 trivia'vmomi.soapStub[0]'] Sending soap request to []: retrieveServiceContent {}
2012-09-24T22:18:46.534-04:00 [04584 trivia'HttpConnectionPool-000001'] [IncConnectionCount] Number of connections to incrementedto 1
2012-09-24T22:18:46.534-04:00 [04584 trivia'HttpConnectionPool-000001'] [PopPendingConnection] Found pending connection to
2012-09-24T22:18:46.534-04:00 [04584 trivia'vmomi.soapStub[0]'] Request started [classVmacore::Http::UserAgentImpl::AsyncSendRequestHelper:000000000DF7FA68]
2012-09-24T22:18:46.534-04:00 [04280 trivia'Default'] SSLStreamImpl:oClientHandshake: verifyPeerName(vchostname.test.vmware.net), peerCertDigest (), unverifiedAction (fail)
2012-09-24T22:18:46.549-04:00 [06108 info'Default'] Thread attached
2012-09-24T22:18:46.627-04:00 [04280 trivia'vmomi.soapStub[0]'] Request completed [classVmacore::Http::UserAgentImpl::AsyncSendRequestHelper:000000000DF7FA68]
2012-09-24T22:18:46.627-04:00 [04584 trivia'HttpConnectionPool-000001'] [DecConnectionCount] Number of connections to decrementedto 0
2012-09-24T22:18:46.627-04:00 [04584 error'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Unexpected exception
--> Backtrace:
--> backtrace[00] rip 000000018018977a
--> backtrace[01] rip 0000000180100c98
--> backtrace[02] rip 0000000180101fae
--> backtrace[03] rip 000000018008aeab
--> backtrace[04] rip 0000000000564971
--> backtrace[05] rip 0000000000501298
--> backtrace[06] rip 00000000005016c9
--> backtrace[07] rip 0000000000470fae
--> backtrace[08] rip 0000000140d7bfb8
--> backtrace[09] rip 000000013fc70078
--> backtrace[10] rip 000000013fc7016a
--> backtrace[11] rip 000000013fc70279
--> backtrace[12] rip 000000013fc70609
--> backtrace[13] rip 000000013ffb2903
--> backtrace[14] rip 000000014075e4b9
--> backtrace[15] rip 000000014075835c
--> backtrace[16] rip 0000000140978a3b
--> backtrace[17] rip 000007feff4fa82d
--> backtrace[18] rip 000000007750652d
--> backtrace[19] rip 000000007788c521
-->
2012-09-24T22:18:46.627-04:00 [04584 trivia'VpxProfiler'] Ctr: TotalTime = 13353 ms
在SSO服务器的C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils\logs\discover-is.log日志中能看到如下报错:
2012-09-2423:40:49,962 - VCHOSTNAME.test.vmware.net,,,,Executing action: 'discover-is'
2012-09-24 23:40:49,962 - VCHOSTNAME.test.vmware.net,,,,Discoveringidentity sources
2012-09-24 23:40:50,942 - VCHOSTNAME.test.vmware.net,,,,ERROR: Bean (PrimaryCommandTarget)initialization failure
com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException:System was modified beyond the allowed threshold, cannot decrypt.
com.rsa.common.SystemException: Bean (PrimaryCommandTarget) initializationfailure
com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException:System was modified beyond the allowed threshold, cannot decrypt.
Caused by: com.rsa.ims.components.ComponentFailureException: Unable to loadbean named PrimaryCommandTarget
Note: You can run this command to see iferror messages are still present in the discover-is.log:
C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils>ssocli.cmd configure-riat -adiscover-is -u admin -p
解决办法:
登入到SSO服务器,运行CMD(管理员),切换到如下目录:
C:\ProgramFiles\VMware\Infrastructure\SSOServer\Utils
运行如下命令:
rsautil manage-secrets -a recover-m masterPassword
masterPassword替换成admin@system-domain帐户的密码
然后重启SSO服务
最后再重启vCenter服务。