Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Error 400 when using LoadMaster to load balance VMware vCenter access

 

Information

 

Summary:

When using the LoadMaster to balance traffic to the vCenter Web User Interface (WUI), the following Error 400 message can be observed.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: VMware vCenter

Question/Problem Description:

When load balancing access to VMware vCentre the request fails with a error 400.

Steps to Reproduce:  
Error Message:

[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server. An error occurred when processing metadata during vCenter Single Sign-On setup, the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the host name is a trusted service alias.

400.png

Defect Number:  
Enhancement Number:  
Cause: This issue arises because the FQDN used to access the VMware vCenter is now incorrect due to the fact that the connection is routed through the LoadMaster and therefore the request is coming form the Virtual Service.
Resolution:

In order to resolve the issue add an allowed alias to the vCenter and enable SSL re-encrypt with SNI hostname passthrough on the virtual service.

 

Setup a new virtual service on port 443.

Virtual Service --> Add New

 

Enable Persistence and configure it for Super HTTP.

Standard Options --> Persistence Options --> Mode --> Super HTTP

 

Configure The persistence timeout to be 30 minutes.

Standard Options --> Persistence Options --> Timeout--> 30 minutes

standard.png

 

Enable SSL offload with re-encrypt:

SSL Properties --> SSL Acceleration --> Enable --> Enable Reencrypt

 

Assign a valid SSL Certificate:

SSL Properties --> Choose Certificate from list --> Assign the Certificate --> Set Certificate

NOTE: for this step it is expected that there is a valid SSL Certificate already imported and installed on the LoadMaster. For more information on how to import SSL Certificates please refer to the following link:

How To Import SSL Certificates To Your LoadMaster – Kemp Support (kemptechnologies.com)

 

Set best practices cipher:

SSL Properties --> Cipher Sets --> From the dropdown list select "BestPractices"

 

Enable SNI pass-through:

SSL Properties --> Pass--through SNI hostname --> Enable

 

Enable_SNI_and_re-encrypt.png

 

Next Configure the real server HTTPS health checks.

Real Servers --> Real Server Check Method -->  Select "HTTPS Protocol" from the dropdown list.

 

Set the real server health checks to be on port 443:

Real Servers --> Checked Port --> 443

 

Configure the health check URL:

Real Servers --> URL --> /ui

 

Enable HTTP/1.1 and configure the HTTP/1.1 Host

Real Servers --> Use HTTP/1.1

Real Servers --> HTTP/1.1 Host --> Enter the valid VMware vCenter host name.

real_server_health_checks.png

 

Finally add the real server to the virtual service.

 

vCentre Alias's must also be editaed inorder to enable the use of shortname's.


Please Note: Make sure that a backup of vCenter Server Appliance (vcsa) is created before making any  of the following changes.

To enable short name access to vCenter, add the desired shortname in webclient.properties file.

  1. Log in to the vCenter Server via SSH/PuTTY session as root, and enable shell
  2. Stop the vSphere client service using below command
service-control --stop vsphere-ui
  1. Navigate to the vsphere-ui location to edit webclient.properties
cd /etc/vmware/vsphere-ui/
  1. Before editing take a backup of webclient.properties  using below command,
    • cp webclient.properties /var/tmp/webclient.properties.bak
  2. Add the desired shortname under the sso.serviceprovider.alias.whitelist
  • vi webclient.properties
  • Type i to enter insert mode
  • Remove the comment (#) for sso.serviceprovider.alias.whitelist=
  • Add the shortname (comma separated if there are multiple values)
  • Save and exit the VI editor by pressing Esc to exit insert mode, then wq!
  • Example:
    • sso.serviceprovider.alias.whitelist=vcsa70
  1. Start the vSphere client service.
service-control --start vsphere-ui
Workaround:  
Notes: VMware KB article: https://kb.vmware.com/s/article/71387

Comments