问题:我们正在尝试做什么
尝试使用 VMware vSphere Client 登录 vCenter 时,使用 Windows 会话凭据或手动提供的凭据时会收到以下错误(DOMAIN\Username):
vSphere Client 无法连接到“vCenter”服务器“vCenter”响应时间过长。(由于远程服务器响应时间过长,命令已超时。)
具有viclient-#-0000.log以下内容:
[viclient:Critical:M:12] 2014-03-04 15:49:59.008 Connection State[vCenter]: Disconnected
[viclient:SoapMsg :M:12] 2014-03-04 15:49:59.009 Attempting graceful shutdown of service ...
[viclient:SoapMsg :M:12] 2014-03-04 15:49:59.010 Pending Invocation Count: 0
[viclient:SoapMsg :M:12] 2014-03-04 15:49:59.011 Graceful shutdown of service: Success
[ :Error :M:12] 2014-03-04 15:49:59.018 Error occured during login
VirtualInfrastructure.Exceptions.LoginError: The server 'vCenter' took too long to respond. (The command has timed out as the remote server is taking too long to respond.)
at VirtualInfrastructure.LoginMain.Process(BackgroundWorker worker, DoWorkEventArgs e)
at VirtualInfrastructure.LoginWorkerImpl.Worker_DoWork(Object sender, DoWorkEventArgs e)
看看vSphere SSO 日志没有发现任何近期活动,但根据ssoAdminServer.log我的阅读,以下情况除外,表明身份源查找成功:
name = kcelliott,
domain = ad.state.gov
inherited from com.vmware.vim.binding.sso.PrincipalId@2fa38f3c
[2014-03-04 16:58:36,301 INFO opID=10C1719C-00000005-54 pool-13-thread-10 com.vmware.vim.sso.admin.vlsi.PrincipalDiscoveryServiceImpl] Vmodl method 'PrincipalDiscoveryService.findPersonUser' invoked by [ User {Name: vCenterServer_2013.12.19_140038, Domain: System-Domain} with role RegularUser] [caller:/10.5.216.251] Find person user {Name: kcelliott, Domain: ad.state.gov}
[2014-03-04 16:58:36,310 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command com.rsa.admin.SearchIdentitySourcesCommand was executed successfully
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command {'com.rsa.admin.LookupIdentitySourceCommand', 'com.rsa.admin.LookupIdentitySourceCommand', 'com.rsa.admin.LookupIdentitySourceCommand', 'com.rsa.admin.LookupIdentitySourceCommand', 'com.rsa.admin.LookupIdentitySourceCommand'} was executed successfully
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DomainManagementImpl] Got external domain: ad1.state.us
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DomainManagementImpl] Got external domain: ad2.local
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DomainManagementImpl] Got external domain: ad3.local
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DomainManagementImpl] Got external domain: ad.state.gov
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DomainManagementImpl] Got external domain: ad4.alaska.local
[2014-03-04 16:58:36,318 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.impl.KeepAlive] Pinging domain ad5.local
[2014-03-04 16:58:36,322 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command com.rsa.admin.SearchIdentitySourcesCommand was executed successfully
[2014-03-04 17:00:06,215 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command com.rsa.admin.SearchPrincipalsCommand was executed successfully
[2014-03-04 17:00:06,215 WARN opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command 'com.rsa.admin.SearchPrincipalsCommand' executed for 89892 millis
[2014-03-04 17:00:06,215 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.impl.KeepAlive] Ping result: null
[2014-03-04 17:00:06,215 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.impl.KeepAlive] Pinging domain ad5.local
[2014-03-04 17:00:06,221 DEBUG opID= DomainKeepAliveThread com.vmware.vim.sso.admin.server.ims.impl.DefaultCommandExecutor] Command com.rsa.admin.SearchIdentitySourcesCommand was executed successfully
尝试的解决方案:我们如何尝试解决它
这似乎与VMware 知识库 2038918和VMware 知识库 2037408。我尝试按照以下解析路径VMware 知识库 2038918通过使用 SSO 管理员帐户 ( ) 连接到 vSphere Web Client,admin@system-domain并将组的 Base DN 调整为更窄,而不是域的基数,以防我们在执行组枚举时遇到超时问题。这并没有解决问题,但我能够成功测试连接。但是 Web 客户端似乎只是爬行,例如,它花了三分钟多的时间才打开“编辑身份源”对话框窗口。
VMware 知识库 2037408做不是似乎适用于我们的情况,因为无论我们是否使用 Windows 会话凭据或者我是否手动提供我的 Active Directory 凭据,身份验证都会失败。
我重启了 VMware vCenter 服务,但问题仍未得到解决,我重启了整个 vCenter 服务器。但这并没有解决问题。
环境:我们的东西,其破坏是神圣的
从我的工作站和本地 vCenter 服务器进行的 vSphere Client 和 vSphere Web Client 身份验证均失败。多个用户的身份验证失败。我已验证尝试进行身份验证的所有用户都是 vCenter 管理员组的成员(通过安装 vCenter 的 Windows 服务器上的本地管理员成员身份)。
我可以成功 ping 并连接用作识别源的域控制器的 LDAPS 端口。
主机服务器没有任何不当的资源消耗。
我们没有对 vSphere 安装进行任何更改,但我们没有管理或查看我们的目录服务(尽管我无法想象那里的哪些更改会破坏 vCenter SSO)。
我们正在使用 vSphere 5.1.0 Build 1063329。我在 vSphere Web Client 中使用 Firefox 27 和 Adobe Flash 12.0.0.70。vCenter 的主机操作系统是 Windows Server 2008 R2 SP1 和 MS SQL 2012 SP1。
答案1
事实证明,当我们安装 vCenter 的 SSO 时,它会自动检测它能检测到的每个 Active Directory 域。我们的许多部门都运行和管理自己的 Active Directory 域,而不是使用我们正在使用的中央企业 Active Directory 域。这意味着我们在 SSO 的身份源 ( Administration > Sign-On and Discovery > Configuration) 中有六个相当大的 Active Directory 域。
删除不必要的身份源可以解决该问题。