Ninety days after deployment, you cannot log into a tenant or the identity store for a tenant disappears.

Problem

  • When you log in to a tenant, you see a blank page displayed with a Submit button in the upper left-hand corner.

  • You receive a System Exception error when accessing the tenant ID store configuration page.

  • The ID store configuration disappears.

  • You cannot log in to a tenant by using an LDAP account.

  • The catalina.out log located in /var/log/vmware/vcac/ shows an error similar to the following:

    12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access YYYY-03-18 12:40:49,201 [tomcat-http--34] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedException:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access com.vmware.vim.sso.client.exception.InternalError: Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access

  • The Identity Appliance messages log located in /var/log/ shows an error message similar to the following:

    T16:50:18-05:00 lsassd[2913]: GSSAPI Error: The referenced context has expired (Unknown error) T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired. (cn=tenantadmin,cn=users,dc=tenant) T11:58:03-06:00 lsassd[2943]: GSSAPI Error: The referenced context has expired (Unknown error)....

    Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to fail. YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN (cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)

Cause

The SSO internal tenant administrator password expires after 90 days by default. This issue is internal to vRealize Automation and does not affect external identity stores such as OpenLDAP or Active Directory.

It is a known issue that the vRealize Automation user interface does not provide notification that the tenant administrator password is expiring. The workaround for this issue is to disable password expiration for the tenant administrator account.

For step-by-step instructions to solve this issue, see the VMware knowledge base article at http://kb.vmware.com/kb/2075011.