Whilst setting up a lab environment to do some research for a customer workshop, I hit an issue trying to add my vRA instance into vROps so that I could monitor the environment. I had already successfully added vROps to vRA.
When creating the vRA integration, I could enter all the details into the form. When pressing the VALIDATE CONNECTION button, I was presented with the untrusted SSL certificate from vRA to accept. However, then, I just got an error message “Unable to login to CAS system using provided credentials“.
I doubled checked the account I was using had the correct password and permissions by logging in to vRA with it and checking the documentation. I tried using an Active Directory backed account and the main admin account, which was local to the Identity Manager appliance (to which both vRA and vROps were connected) and received the same error each time.
After searching internally, I came across a Slack message from someone who had a customer ticket reporting exactly the same error and conditions. There was a link to the ticket, which provided a set of resolution steps. I couldn’t follow the steps exactly as this was a nested lab environment where I had no access to the vRealize Suite Lifecycle Manager instance that managed the products. I have included those steps for reference.
Always ensure you double-check with VMware support before performing these steps and that you have backups etc., of any content as well as the servers.
Steps to check if you have the same issue:
The issue is not with the user credentials but with the identity service client. Check if the identity service client credentials are available in Identity Manager:
- SSH to the vRA appliance as root and run the command
vracli vidm - From the response, get the ClientIDUser and ClientSecret values. The response will include a section like the one below.
"clients": {
"ClientID": "prelude-CpueOKZLD7",
"ClientIDUser": "prelude-user-bN39uwkH4G",
"ClientSecret": "1lzB1mSlic",
"ClientSecretUser": "1hEWRXoKZ4"
},- Log in to the Identity Manager admin page with the administrator user (configadmin or similar).
- Navigate to <Identity Manager FQDN>/SAAS/admin/settings/manageOAuthClients
- In the Remote App Access table, check if the ClientIDUser retrieved from vRA in step 2 is listed. Click on the name in the table to open the details page.
- Check if the Shared Secret value matches the ClientSecret value retrieved from vRA in step 2.
In my lab, the user was present with the correct secret. I performed steps 3-5 in the resolution only. Steps 1-5 should be performed if the user is not present.
Resolution:
- Take snapshots and/or backups of the Identity Manager and vRA appliances
- Log in to the vRealize Suite Lifecycle Manager and re-trust the Identity Manager
- SSH to vRA as root and
run /opt/scripts/deploy.sh, wait for it to complete successfully after a few minutes. - Log in to vRA as the user you want to authenticate the connection from vROps with. You should be able to log in successfully, and the permissions should match what you had set previously.
- Log in to vROps and configure the integration to vRA with this user account. It should now complete successfully. Note that when using an Active Directory user account, you do not need to specify the domain as part of the username if this domain is synched as an Identity Manager directory.