Possible pitfall - duplicate config_admin users - Using vRSLCM as deployment engine

Some days ago as vRA 8.2 Patch 1 came along we decided to create a new test environment to see the upgrade process. It went rather smoothly as this is not the first environment to be deployed with vRSLCM.

Few minutes of prepare vRSLCM and deployment went good, logging on to the new environment and then proceeded to install vRA 8.2 Patch 1. 


Now all went rather smoothly and we were please with the result.
Sometime during the few last days also vIDM was patched to 3.3.3


And all of a sudden we lost access to our little test environment.
As it was only there to test the upgrade patch 1, it was not a large issue, but strange never the less.
In this test environment, we did not set up any other access roles, besides the default config_admin user.
We could log in with it, but we had no access to any resources. Felt very weird that the config_admin in the System Domain lost all access. 

This is when I made the startling discovery that in our vIDM environment there were indeed two config_admin users.

















We then tried to log in to our first vRA 8.2 environments where we had plundered around for a few weeks now. And also here we had lost access to all items, and from the vRA console, I could also see there were indeed two config_admin users one with entitlements and the other without any access rights.

Luckily in our "dev" environment, we had set up access roles for our directory users.
Had to delete one of the config_admin users, I went on to delete the one that probably was tied to our test environment so we had to scratch that and redo it.

Lesson learned, always setup identity control.

Now how and when the second config_admin user appeared, we arent sure about. 
The prime suspect is that vRSLCM created a new one (even tho that should be impossible). 
If not it's the vIDM that somehow got messed up while patching. 

We will try to deploy a new vRA 8 test environment and monitor vIDM more closely this time.

Kommentarer

  1. Second time around, we did not get a duplicate config_admin user. Possible this was a PGSQL sync issue on vIDM nodes as we had a support case going for a reported sync issue here.

    SvarSlett

Legg inn en kommentar

Populære innlegg fra denne bloggen

vRealize Orchestrator and Microsoft Powershell Double Hops

vRealize Automation 8 - Migration Assistant - Entitlements

vRealize Orchestrator - SSH Keys - Idea for how to easy manage multiple keys