Some small things can have a big impact on the entire infrastructure. Time synchronization is one of those things, and this is why VMware recommend configuring an NTP server for your vSphere infrastructure (and generally it’s recommended,best practice/required for all the datacenter components).
In vSphere 6, before you can add an active directory as an identity source, you must join the Platform Service Controller (PSC) to the domain, this can be done using the Web Client or the command line.
If you get this kind of error
A vCenter Single Sign-On service error occurred’ faultDetail:’null’
Or
A server error occurred.
[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Requester, sub status: null.
Check the vSphere Web Client server logs for details.
The first thing to check is your time synchronization, as you should know, active directory is sensitive to this, in a Windows environnement, you can get differents kinds of errors and authentication failure if you don’t have time synchronized correctly.
Connect to the PSC using SSH and check the current domain join status
As it is clearly stated, it’s a time synchronization error. If you check the current time you will definitely find a time difference between the domain controller and the PSC appliance.
This how we can correct this
Connect to the PSC using ssh and modify the time configuration as below:
Command>ntp.server.add --servers "0.pool.ntp.org,1.pool.ntp.org" Command>timesync.set --mode NTP Command>services.restart --name ntp
Enable and access the shell
Command> shell.set --enabled True Command> shell
Query the domain join status again
This is normal as we haven’t joined the domain yet.
Join the domain using the following command
Reboot the PSC and check the domain join status
You should now be able to add your domain as an identity source.
Find this useful ? be sociable share 😉
Hi,
Thanks for the article. Just wanted to ask you couple of questions
To add AD as an Identity Source which is the preferred method is it AD as LDAP or as integrated?
Also when you say Add PSC to domain — I understand that when you are trying to install PSC or VC, the server is joined to Domain and we install these services (PSC or VC) on them and they get joined to domain as well. Is my understanding not right?
Thanks
Hi Vaibhav,
Choosing an identity source depend on your need, but the recommended way is configuring AD (or a directory) service.
In my case I’m using the VCSA appliance with a separate PSC instance, the two are Linux based appliance, I needed to add the PSC appliance to domain after installation.