Vmware.vmware and VCF9 SSO compatibility

Get Help
1

Curious if the vmware.vmware collection is known to support VCF 9 and SSO login that uses LDAP behind the scenes.

In my vSphere 8 environment we use domain\username format for task usernames and it works fine with LDAPs authentication.

We have a VCF 9 lab setup with SSO that is using the same LDAPs for authentication.

On a task that uses community.vmware I had to change to username@domain.com format and then the tasks worked as expected. vmware.vmware collection fails on both combinations with odd errors that I’m not even sure if they are authentication related.

fatal: [vcf9.domain.com -> localhost]: FAILED! => {"attempts": 3, "changed": false, "module_stderr": "/usr/local/lib/python3.12/site-packages/vmware/vapi/l10n/bundle.py:59: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.\n  from pkg_resources import resource_string\nTraceback (most recent call last):\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 152, in __create_client_connection\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/vsphere/client.py\", line 191, in create_vsphere_client\n    return VsphereClient(session=session, server=server, username=username,\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/vsphere/client.py\", line 124, in __init__\n    self.session_id = session_id if session_id else session_svc.create()\n                                                    ^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/com/vmware/cis_client.py\", line 206, in create\n    return self._invoke('create', None)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/bindings/stub.py\", line 393, in _invoke\n    return self._api_interface.native_invoke(ctx, _method_name, kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/bindings/stub.py\", line 346, in native_invoke\n    raise api_error\ncom.vmware.vapi.std.errors_client.Unauthenticated: {challenge : SIGN realm=\"54:60:79:40:BB:B9:B5:E5:6F:7B:01:F8:B9:4F:F4:B5:A3:39:F1:1A\",sts=\"https://vcf9.domain.com/sts/STSService/vsphere.local\", Basic realm=\"vCenter\", messages : [], data : None, error_type : UNAUTHENTICATED}\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.vmware.vmware.plugins.modules.vcsa_settings', init_globals=dict(_module_fqn='ansible_collections.vmware.vmware.plugins.modules.vcsa_settings', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 618, in <module>\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 605, in main\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 273, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/_module_rest_base.py\", line 29, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 63, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 102, in connect_to_api\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 162, in __create_client_connection\nansible_collections.vmware.vmware.plugins.module_utils.clients.errors.ApiAccessError: Failed to connect to vCenter or ESXi API at vcf9.domain.com:443 : {challenge : SIGN realm=\"11:22:33\",sts=\"https://vcf9.domain.com/sts/STSService/vsphere.local\", Basic realm=\"vCenter\", messages : [], data : None, error_type : UNAUTHENTICATED}\n", "module_stdout": "", "msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error", "rc": 1}

ansible [core 2.18.12]
community.vmware 5.10.0
vmware.vmware 2.6.0

1 Like
2

Can you provide an example of a community module that works? Community uses the same client code as vmware.vmware (can’t remember what version changed that though) so i would expect them to act the same.

It would also be useful to know what version of relevant python packages you have

3

This works with username@domain.com

    - name: VMware vCenter Advanced Settings
      # Found in HTML5, Host view, click on vCenter, Configure, General, Settings
      community.vmware.vmware_vcenter_settings:
        hostname: "{{ inventory_hostname }}"
        username: "{{ vcenter_user }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vmware_validate_certs }}"
        database:
          max_connections: 50
          task_cleanup: true
          task_retention: 15
          event_cleanup: true
          event_retention: 15
      delegate_to: localhost

This fails with both domain\username and username@domain.com with the error above

    - name: Network Proxy - HTTP
      vmware.vmware.vcsa_settings:
        hostname: "{{ inventory_hostname }}"
        username: "{{ vcenter_user }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vmware_validate_certs }}"
        proxy:
          - enabled: true
            protocol: http
            url: "{{ http_proxy }}"
            port: "{{ http_proxy_port }}"
      delegate_to: localhost
      when: http_proxy is defined

Hopefully relevant python modules:

ansible-compat                             25.12.0
ansible-core                               2.18.12
cryptography                               43.0.3
pyvmomi                                    9.0.0.0
vmware-vapi-common-client                  2.61.2
vmware-vapi-runtime                        2.61.2
vmware-vcenter                             9.0.0.0

When the inventory_hostname is a vCenter 8.0 U3 it all works as expected with the same EE.

4

The community module is just using pyvmomi, while the vmware.vmware module is using the REST sdks. I think that explains the difference in behavior

I dont have access to a vsphere 9 deployment (or 8 for that matter), but I do see some docs indicating that the authentication mechanisms in the SDKs have changed with the release of vcf-sdk. The REST sdk (and im guessing pyvmomi but cant be bothered to check) explicitly says that vcf-sdk is the path forward for vsphere 9 and beyond.

You might want to try just installing vcf-sdk in a virtual environment (instead of pyvmomi, vmware-*) and seeing if that works. vcf-sdk has not really been tested in vmware.vmware but it is on the roadmap for the next major release. I did some testing locally and havnt run into issues

1 Like
5

I’ve started to use code from vmware.vmware in community.vmware 6.0.0. And I’m not sure if I’ve really changed this everywhere… but I should say in most places. However, 5.x still uses its own code to log in. It would be interesting to see if we run into the same issue with 6.x. I would also expect the same behavior then, too.

As far as I understand, vcf-sdk is some kind of meta-package that pulls in pyvmomi and other packages via dependencies. It doesn’t provide any code by itself. It’s a convenient way to get all the Python packages you need to automate VCF:

$ pip show vcf-sdk | grep Requires:
Requires: pyvmomi, vcf_installer, vmware_sddc_manager, vmware_vcenter, vmware_vsan_data_protection

But I might be wrong there and it contains at least some code.

Unfortunately I don’t have a VCF 9 environment to test with ATM, though.

1 Like
6

I still haven’t been able to figure out how to get vmware.vmware to connect to VCF 9 with SSO enabled.

We are using the SSO appliances for more redundancy and today I found out that there are extra steps for Powershell to be able to authenticate in this scenario
Using VCF Single Sign-On to Access vCenter using PowerCLI

I’m not sure if API and Ansible/python also needs similar changes.

I might see if we can configure our lab with the embedded mode to see if that gets us past this hurdle in the immediate future.

7

Any thoughts on next steps for getting VCF 9 support? We aren’t likely to be able to switch to VCF 9 without our existing Ansible automation being supported. I’m sure VMware will push VCF Automation instead, but that would involved reworking multiple automations.

Based on the article about PowerCLI and SSO, we changed our lab from the SSO Appliance model to the Embedded model and the tasks still failed, but the message is now different and more clear it is an authentication issue

[ERROR]: Task failed: Module failed: Failed to connect to vCenter or ESXi API at labvcenter.domain.com:443 : {challenge : SIGN realm="XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX",sts="https://labvcenter.domain.com/sts/STSService/vsphere.local", Basic realm="vCenter", messages : [], data : None, error_type : UNAUTHENTICATED}

Task failed: Module failed.
Origin: /runner/VMware/vcenter_configuration.yml:89:7

87         - advanced_settings
88
89     - name: VCSA Configuration
         ^ column 7

<<< caused by >>>

Failed to connect to vCenter or ESXi API at labvcenter.domain.com:443 : {challenge : SIGN realm="XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX",sts="https://labvcenter.domain.com/sts/STSService/vsphere.local", Basic realm="vCenter", messages : [], data : None, error_type : UNAUTHENTICATED}

fatal: [labvcenter.domain.com -> localhost]: FAILED! => {"changed": false, "msg": "Task failed: Module failed: Failed to connect to vCenter or ESXi API at labvcenter.domain.com:443 : {challenge : SIGN realm=\"XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX\",sts=\"https://labvcenter.domain.com/sts/STSService/vsphere.local\", Basic realm=\"vCenter\", messages : [], data : None, error_type : UNAUTHENTICATED}"}
8

Apropos of nothing: I would be really happy if we would be able to run CI tests with a real vSphere environment (again) for community.vmware: Need help on new community.vmware CI.

This has been extremely helpful, and I’m missing this CI :cry: