Error 400 when using LoadMaster to load balance VMware vCenter access
Information
Summary: |
When using the LoadMaster to balance traffic to the vCenter Web User Interface (WUI), the following Error 400 message can be observed. |
Environment: |
Product: LoadMaster Version: Any Platform: Any Application: VMware vCenter |
Question/Problem Description: |
When load balancing access to VMware vCentre the request fails with a error 400. |
Steps to Reproduce: | |
Error Message: |
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server. An error occurred when processing metadata during vCenter Single Sign-On setup, the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the host name is a trusted service alias. |
Defect Number: | |
Enhancement Number: | |
Cause: | This issue arises because the FQDN used to access the VMware vCenter is now incorrect due to the fact that the connection is routed through the LoadMaster and therefore the request is coming form the Virtual Service. |
Resolution: |
In order to resolve the issue add an allowed alias to the vCenter and enable SSL re-encrypt with SNI hostname passthrough on the virtual service.
Setup a new virtual service on port 443. Virtual Service --> Add New
Enable Persistence and configure it for Super HTTP. Standard Options --> Persistence Options --> Mode --> Super HTTP
Configure The persistence timeout to be 30 minutes. Standard Options --> Persistence Options --> Timeout--> 30 minutes
Enable SSL offload with re-encrypt: SSL Properties --> SSL Acceleration --> Enable --> Enable Reencrypt
Assign a valid SSL Certificate: SSL Properties --> Choose Certificate from list --> Assign the Certificate --> Set Certificate NOTE: for this step it is expected that there is a valid SSL Certificate already imported and installed on the LoadMaster. For more information on how to import SSL Certificates please refer to the following link: How To Import SSL Certificates To Your LoadMaster – Kemp Support (kemptechnologies.com)
Set best practices cipher: SSL Properties --> Cipher Sets --> From the dropdown list select "BestPractices"
Enable SNI pass-through: SSL Properties --> Pass--through SNI hostname --> Enable
Next Configure the real server HTTPS health checks. Real Servers --> Real Server Check Method --> Select "HTTPS Protocol" from the dropdown list.
Set the real server health checks to be on port 443: Real Servers --> Checked Port --> 443
Configure the health check URL: Real Servers --> URL --> /ui
Enable HTTP/1.1 and configure the HTTP/1.1 Host Real Servers --> Use HTTP/1.1 Real Servers --> HTTP/1.1 Host --> Enter the valid VMware vCenter host name.
Finally add the real server to the virtual service.
vCentre Alias's must also be editaed inorder to enable the use of shortname's.
To enable short name access to vCenter, add the desired shortname in webclient.properties file.
service-control --stop vsphere-ui
cd /etc/vmware/vsphere-ui/
service-control --start vsphere-ui
|
Workaround: | |
Notes: | VMware KB article: https://kb.vmware.com/s/article/71387 |