Symptoms (as from KB)
- vCenter Server services are running, but a user that was previously able to log into vCenter Server no longer can
- A local admin account is able to log in, but domain users cannot
- You see this error:
A general system error occurred: Authorize Exception
Additionally
- Re-joining to domain don't help
- Your primary (and secondary) Domain Controllers which was used before were changed
- C:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\WEB-INF\classes\krb5.conf contains wrong kdc entries.
NB: Don't try to edit this file. It's automatically generated.
Cause
- Single-Sign-On service uses old DC name(s) when binds to Active Directory
Resolution
- Install vSphere WebClient (don't forget that you should use admin@System-Domain username in order to connect it with SSO)
- Login to Web Client (https://vcenter.company.com:9443/vsphere-client/) using SSO admin account - admin@System-Domain
- On Administration page select Configuration menu under Sign-on and Discovery section
- Select the desired identity source (type - Active Directory), click Edit and write down (printscreen) all of the connection options
Want to point out, that in my case, changing server URLs has no effect - no changes was saved after OK was pressed, so... - Remove old identity source and add a new one, with the same parameters, but with new server URLs
- Done
Not important
To be honest - it was the most interesting issue for last couple of month. Mostly because any other issue I faced was already solved by someone else, so any problem was solved by following the obvious scenario: Problem -> logs - > google -> solution.Now I have to switch on my imagination, because all solutions for "Authorize Exception" problem suggested to re-join to AD and/or fix AD/DNS problems. So we spent several hours fixing non-existing problems.
Well, we knew that Domain Controllers were changed, but we forgot completely about SSO, and nobody knew/remember that SSO uses it's own configuration (based on MIT kreberos) in order to bind to AD.
But even when the problem was located, I've spent next couple hours examining SSO logs and trying to find where AD discovery configuration can be changed. It's a pity, that it's not possible to configure by some CLI (at least I didn't find anything).
Hope this article helps. If so, I would appreciate if you consider to leave a comment.