Problem accessing Admiral service on VIC OVA deployment

[pdaigle]

I have deployed the VIC OVA (build 1dc0021a) using DHCP.

After I enter the vCenter credentials, I cannot access the management portal:

• Service is running on port 8282. I get certificate warning (self-signed) but then I get the error:

• Admiral container logs (captured during failed attempt):

[https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlRequestSender - SP alias for the login request is 192.168.100.122:8282 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Producing redirect url [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.identity.websso.client.SiteAffinity - Failed to init CdcSession. likely due to missing vmafd jar. Message: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Added Renewable condition [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Added Delegable condition [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Destination URL: https://vcsa-01a.corp.local/websso/SAML2/SSO/vsphere.local [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Relay State value is: SessionId [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoResponseListener - You have POST'ed to Websso client library! [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating SAMLResponse.. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.ValidationState - Validating request destination: HttpservletRequest destination=https://192.168.100.122:8282/auth/psc/callback/tokenSAML message destination=https://192.168.100.122:8282/auth/psc/callback/token [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating optional request ID: _759b5671ba352d374c59f0c63eebdcb8 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating assertion.. [376][I][2017-08-11T15:50:24.634Z][286][HttpServletRequestImpl][breakHere][HttpServletRequestResponse] [377][I][2017-08-11T15:50:24.637Z][286][HttpServletRequestImpl][breakHere][HttpServletRequestResponse] [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Parsing assertion.. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SamlUtils - Validate assertion condition with clock tolerance = 600 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - NameID: Administrator@CORP.LOCAL [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - NameIDFormat: http://schemas.xmlsoap.org/claims/UPN [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SamlUtils - Validate sessionNotOnOrAfter with clock tolerance = 600 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Successfully validated SSO Assertion [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Successfully validated received SAMLResponse [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Message Data.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: 'Administrator@CORP.LOCAL', Session: '_81985f6701bc5f119b908f9f41600983', SessionId: 'SessionId' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Going to extract SAML token for 'Administrator@CORP.LOCAL'. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML token successfully extracted.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: '{Name: Administrator, Domain: CORP.LOCAL}', Valid: 'Fri Aug 11 15:49:09 GMT 2017' - 'Fri Aug 11 15:54:09 GMT 2017', SamlSession: '_81985f6701bc5f119b908f9f41600983' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Attempts to authenticate extracted token for '{Name: Administrator, Domain: CORP.LOCAL}' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: {Name: Administrator, Domain: CORP.LOCAL} [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully renewed token for user: {Name: Administrator, Domain: CORP.LOCAL} [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML HOK token successfully extracted.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: '{Name: Administrator, Domain: CORP.LOCAL}', Valid: 'Fri Aug 11 15:50:24 GMT 2017' - 'Sun Sep 10 15:50:24 GMT 2017', Session: '_81985f6701bc5f119b908f9f41600983' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML groups: '[{Name: Domain Admins, Domain: corp.local}, {Name: Domain Users, Domain: corp.local}, {Name: Group Policy Creator Owners, Domain: corp.local}, {Name: Schema Admins, Domain: corp.local}, {Name: Enterprise Admins, Domain: corp.local}, {Name: View Agent Direct-Connection Users, Domain: corp.local}, {Name: Denied RODC Password Replication Group, Domain: corp.local}, {Name: Administrators, Domain: vsphere.local}, {Name: Everyone, Domain: vsphere.local}]' [378][I][2017-08-11T15:50:25.318Z][286][AbstractClient][dispose][Client was disposed successfully] [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=admiral-c22367d0-8a21-411f-84ae-ec1572a35999@vsphere.local, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: {Name: admiral-c22367d0-8a21-411f-84ae-ec1572a35999, Domain: vsphere.local} [379][I][2017-08-11T15:50:25.643Z][286][AdminClientImpl][][Client was created successfully] [380][I][2017-08-11T15:50:25.740Z][286][AdminClientImpl][][Client was created successfully] [381][W][2017-08-11T15:50:25.794Z][25][8282/][processPendingServiceAvailableOperations][Service /auth/psc/sessions/e2c29d7c-d6b7-41a0-b9c4-0a8a962eb3e5-15dd1fd4ecc failed start: com.vmware.xenon.common.LocalizableValidationException: 'principalName' cannot be empty]

Issue is reproducible in my lab.

[andrewtchin]

I think this is related to the corp.local issue Anchal was seeing the other day. I just deployed this build and using vsphere.local creds Admiral comes up fine.

[pdaigle]

I re-deployed the OVA, making sure to use the administrator@vsphere.local user for vcenter creds.

Here is the new log:

[https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlRequestSender - SP alias for the login request is 192.168.100.123:8282 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Producing redirect url [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.identity.websso.client.SiteAffinity - Failed to init CdcSession. likely due to missing vmafd jar. Message: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Added Renewable condition [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Added Delegable condition [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Destination URL: https://vcsa-01a.corp.local/websso/SAML2/SSO/vsphere.local [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender - Relay State value is: SessionId [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.endpoint.SsoResponseListener - You have POST'ed to Websso client library! [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating SAMLResponse.. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.ValidationState - Validating request destination: HttpservletRequest destination=https://192.168.100.123:8282/auth/psc/callback/tokenSAML message destination=https://192.168.100.123:8282/auth/psc/callback/token [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating optional request ID: _4498d533f2b290b10d2a19eafa1c346d [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Validating assertion.. [336][I][2017-08-11T16:39:54.388Z][75][HttpServletRequestImpl][breakHere][HttpServletRequestResponse] [337][I][2017-08-11T16:39:54.392Z][75][HttpServletRequestImpl][breakHere][HttpServletRequestResponse] [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Parsing assertion.. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SamlUtils - Validate assertion condition with clock tolerance = 600 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - NameID: Administrator@CORP.LOCAL [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - NameIDFormat: http://schemas.xmlsoap.org/claims/UPN [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SamlUtils - Validate sessionNotOnOrAfter with clock tolerance = 600 [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Successfully validated SSO Assertion [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.websso.client.SsoValidationState - Successfully validated received SAMLResponse [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Message Data.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: 'Administrator@CORP.LOCAL', Session: '_feb5f7925759304cc64a30fcc76d69e7', SessionId: 'SessionId' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Going to extract SAML token for 'Administrator@CORP.LOCAL'. [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML token successfully extracted.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: '{Name: Administrator, Domain: CORP.LOCAL}', Valid: 'Fri Aug 11 16:38:39 GMT 2017' - 'Fri Aug 11 16:43:39 GMT 2017', SamlSession: '_feb5f7925759304cc64a30fcc76d69e7' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - Attempts to authenticate extracted token for '{Name: Administrator, Domain: CORP.LOCAL}' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: {Name: Administrator, Domain: CORP.LOCAL} [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=Administrator@CORP.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully renewed token for user: {Name: Administrator, Domain: CORP.LOCAL} [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML HOK token successfully extracted.Issuer: 'https://vcsa-01a.corp.local/websso/SAML2/Metadata/vsphere.local', Subject: '{Name: Administrator, Domain: CORP.LOCAL}', Valid: 'Fri Aug 11 16:39:55 GMT 2017' - 'Sun Sep 10 16:39:55 GMT 2017', Session: '_feb5f7925759304cc64a30fcc76d69e7' [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.admiral.auth.idm.psc.saml.sso.authentication.SamlLogonProcessor - SAML groups: '[{Name: Domain Admins, Domain: corp.local}, {Name: Domain Users, Domain: corp.local}, {Name: Group Policy Creator Owners, Domain: corp.local}, {Name: Schema Admins, Domain: corp.local}, {Name: Enterprise Admins, Domain: corp.local}, {Name: View Agent Direct-Connection Users, Domain: corp.local}, {Name: Denied RODC Password Replication Group, Domain: corp.local}, {Name: Administrators, Domain: vsphere.local}, {Name: Everyone, Domain: vsphere.local}]' [338][I][2017-08-11T16:39:55.427Z][75][AbstractClient][dispose][Client was disposed successfully] [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] WARN com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery - CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.identity.token.impl.SamlTokenImpl - SAML token for SubjectNameId [value=admiral-31c391a3-f557-46a4-8be6-eb78db070a58@vsphere.local, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element [https://172.17.0.2:8282/ForkJoinPool-1-worker-0] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl - Successfully acquired token for user: {Name: admiral-31c391a3-f557-46a4-8be6-eb78db070a58, Domain: vsphere.local} [339][I][2017-08-11T16:39:55.780Z][75][AdminClientImpl][][Client was created successfully] [340][I][2017-08-11T16:39:55.887Z][75][AdminClientImpl][][Client was created successfully] [341][W][2017-08-11T16:39:55.969Z][25][8282/][processPendingServiceAvailableOperations][Service /auth/psc/sessions/f4690e96-e93a-4ffc-b4fe-0fc752f81801-15dd22aa082 failed start: com.vmware.xenon.common.LocalizableValidationException: 'principalName' cannot be empty]

[pdaigle]

root@localhost [ /etc/vmware/psc/admiral ]# cat psc-config.properties

Fri Aug 11 16:34:56 UTC 2017

admiral-url=https\://192.168.100.123\:8282 client=admiral client-id=admiral-31c391a3-f557-46a4-8be6-eb78db070a58@VSPHERE.LOCAL default-user-prefix=vicdef domain-controller=vcsa-01a.corp.local domain-controller.port=443 keystore.file=/etc/vmware/psc/admiral/psc-config.keystore keystore.password=changeme resource-server=rs_admiral solution-user=admiral-31c391a3-f557-46a4-8be6-eb78db070a58 tenant=vsphere.local version=6.0

[sergiosagu]

The underlying issue is: "com.vmware.xenon.common.LocalizableValidationException: 'principalName' cannot be empty" which seems to indicate that at some point you are trying or you have tried to login into the system with some user (administrator@corp.local?) who had no first name & last name set in AD/PSC. The fix is in progress.

[pdaigle]

This is strange as I never used adminsitrator@corp.local in this setup. I only used administrator@vpshere.local in the "Getting Started" page and then I never get the Admiral log in page (see screenshot in original post). I am not sure where it is getting this administrator@corp.local

[sergiosagu]

The changes to fix the issue "com.vmware.xenon.common.LocalizableValidationException: 'principalName' cannot be empty" are in. Next OVA builds will contain the fix.