Today I have been setting up extensibility for a customers vRealize Automation vRA 6.2.1 Proof Of Concept Lab with an external vRO vRealize Orchestrator 6.0.1 server.
They require the ability to run custom workflows during machine provision (via vRA blueprints, not 'ASD' workflows), so I have therefore installed the vRA plugin (auto-installed on the in-built version of vRO that comes in the vRA appliace).
I was following the guide on Page 11 of VMware's Machine Extensibility doc (here), (which seems to be slightly different to the last time I did this on vRO 5.5 and vCAC 6.1), and got the below error in the vRO log;
com.vmware.o11n.plugin.dynamicops.ServiceException: HTTP/1.1 401 Unauthorized : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>401 - Unauthorized: Access is denied due to invalid credentials.</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div></div></body></html> (Workflow:Add an IaaS host / Add a VCAC host (item0)#54020)
This was very strange, as I had already gone to https://<IAAS Server Hostname> and correctly authenticated when prompted (using the username administrator@domain.local and the corresponding password).
The solution?
In the vRO workflow presentation form - do NOT type the "Authentication User Name" on Page 2a as <user>@<domain> like I did - leave out the domain name;
i.e.
"administrator@domain.local" = BAD
"domain\administrator" = BAD
"administrator" = GOOD
The "Domain for NTLM authentication" field on Page 2B would be the correct place to type the user accounts domain - i.e. in this case "domain.local".
Although I worked this out in much less time than it has taken to write this post, I thought that it would be helpful to others, as it is not very well documented in the VMware Machine Extensibility PDF or the workflow form (surely the use of REGEX filtering would have cleared this up?).
No comments:
Post a Comment