nicoblidi.com

VMware, Multi Cloud & Datacenter IT Technologies

vCenter web access using DNS alias or short name

Recently, I had a problem with vCenter web access using DNS alias or short name with the following error message:

vCenter web access - DNS alias or short name error

“[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server- An error occurred when processing meta data during vCenter Single Sign-On setup:the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the hostname is a trusted service provider alias.”

To give you a little more context, I deployed a brand new vCenter.

In order to make it compliant with our security standards, I replaced the default self-signed vCenter machine SSL certificate with a SAN certificate signed by our enterprise CA (something very common and usually done by most of us…).

The SAN certificate containing DNS aliases to make access to vCenter more user-friendly with a name that everyone will easily remember :).

Most interesting is the last part of the error message:

“Verify that the server URL is correct and is in FQDN format, or that the hostname is a trusted service provider alias.”

As explained in this VMware KB 71387, vCenter behaviour has changed since vSphere 7.0. From this release, it enforces FQDN or IP address reverse resolvable to FQDN to allow authentication for Single-Sign on.

In short: anything outside of the vCenter FQDN/IP used to login to your vCenter does not work!

The KB provides the solution to add your DNS alias(es)/short name as “trusted alias”:

“To enable short name access to vCenter, add the desired shortname in webclient.properties file.”

https://kb.vmware.com/s/article/71387

After stopping the vSphere client service (service-control --stop vsphere-ui), you must edit the webclient.properties file located in /etc/vmware/vsphere-ui/ and add the following line:  

sso.serviceprovider.alias.whitelist=vcsa100, devcenter, devcenter.test.local

Obviously, you need to populate the alias whitelist with your desired aliases (comma separated).

Once done, restart the vSphere client service (service-control --stop vsphere-ui).

vCenter web access using DNS alias or short name should now work fine!

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *