Vmware.vmware and VCF9 SSO compatibility

Get Help
1

Curious if the vmware.vmware collection is known to support VCF 9 and SSO login that uses LDAP behind the scenes.

In my vSphere 8 environment we use domain\username format for task usernames and it works fine with LDAPs authentication.

We have a VCF 9 lab setup with SSO that is using the same LDAPs for authentication.

On a task that uses community.vmware I had to change to username@domain.com format and then the tasks worked as expected. vmware.vmware collection fails on both combinations with odd errors that I’m not even sure if they are authentication related.

fatal: [vcf9.domain.com -> localhost]: FAILED! => {"attempts": 3, "changed": false, "module_stderr": "/usr/local/lib/python3.12/site-packages/vmware/vapi/l10n/bundle.py:59: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.\n  from pkg_resources import resource_string\nTraceback (most recent call last):\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 152, in __create_client_connection\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/vsphere/client.py\", line 191, in create_vsphere_client\n    return VsphereClient(session=session, server=server, username=username,\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/vsphere/client.py\", line 124, in __init__\n    self.session_id = session_id if session_id else session_svc.create()\n                                                    ^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/com/vmware/cis_client.py\", line 206, in create\n    return self._invoke('create', None)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/bindings/stub.py\", line 393, in _invoke\n    return self._api_interface.native_invoke(ctx, _method_name, kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/local/lib/python3.12/site-packages/vmware/vapi/bindings/stub.py\", line 346, in native_invoke\n    raise api_error\ncom.vmware.vapi.std.errors_client.Unauthenticated: {challenge : SIGN realm=\"54:60:79:40:BB:B9:B5:E5:6F:7B:01:F8:B9:4F:F4:B5:A3:39:F1:1A\",sts=\"https://vcf9.domain.com/sts/STSService/vsphere.local\", Basic realm=\"vCenter\", messages : [], data : None, error_type : UNAUTHENTICATED}\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1766091656.203309-32797-175244772280330/AnsiballZ_vcsa_settings.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.vmware.vmware.plugins.modules.vcsa_settings', init_globals=dict(_module_fqn='ansible_collections.vmware.vmware.plugins.modules.vcsa_settings', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 618, in <module>\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 605, in main\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/modules/vcsa_settings.py\", line 273, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/_module_rest_base.py\", line 29, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 63, in __init__\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 102, in connect_to_api\n  File \"/tmp/ansible_vmware.vmware.vcsa_settings_payload_d6qanylz/ansible_vmware.vmware.vcsa_settings_payload.zip/ansible_collections/vmware/vmware/plugins/module_utils/clients/rest.py\", line 162, in __create_client_connection\nansible_collections.vmware.vmware.plugins.module_utils.clients.errors.ApiAccessError: Failed to connect to vCenter or ESXi API at vcf9.domain.com:443 : {challenge : SIGN realm=\"11:22:33\",sts=\"https://vcf9.domain.com/sts/STSService/vsphere.local\", Basic realm=\"vCenter\", messages : [], data : None, error_type : UNAUTHENTICATED}\n", "module_stdout": "", "msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error", "rc": 1}

ansible [core 2.18.12]
community.vmware 5.10.0
vmware.vmware 2.6.0

1 Like
2

Can you provide an example of a community module that works? Community uses the same client code as vmware.vmware (can’t remember what version changed that though) so i would expect them to act the same.

It would also be useful to know what version of relevant python packages you have

3

This works with username@domain.com

    - name: VMware vCenter Advanced Settings
      # Found in HTML5, Host view, click on vCenter, Configure, General, Settings
      community.vmware.vmware_vcenter_settings:
        hostname: "{{ inventory_hostname }}"
        username: "{{ vcenter_user }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vmware_validate_certs }}"
        database:
          max_connections: 50
          task_cleanup: true
          task_retention: 15
          event_cleanup: true
          event_retention: 15
      delegate_to: localhost

This fails with both domain\username and username@domain.com with the error above

    - name: Network Proxy - HTTP
      vmware.vmware.vcsa_settings:
        hostname: "{{ inventory_hostname }}"
        username: "{{ vcenter_user }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vmware_validate_certs }}"
        proxy:
          - enabled: true
            protocol: http
            url: "{{ http_proxy }}"
            port: "{{ http_proxy_port }}"
      delegate_to: localhost
      when: http_proxy is defined

Hopefully relevant python modules:

ansible-compat                             25.12.0
ansible-core                               2.18.12
cryptography                               43.0.3
pyvmomi                                    9.0.0.0
vmware-vapi-common-client                  2.61.2
vmware-vapi-runtime                        2.61.2
vmware-vcenter                             9.0.0.0

When the inventory_hostname is a vCenter 8.0 U3 it all works as expected with the same EE.

4

The community module is just using pyvmomi, while the vmware.vmware module is using the REST sdks. I think that explains the difference in behavior

I dont have access to a vsphere 9 deployment (or 8 for that matter), but I do see some docs indicating that the authentication mechanisms in the SDKs have changed with the release of vcf-sdk. The REST sdk (and im guessing pyvmomi but cant be bothered to check) explicitly says that vcf-sdk is the path forward for vsphere 9 and beyond.

You might want to try just installing vcf-sdk in a virtual environment (instead of pyvmomi, vmware-*) and seeing if that works. vcf-sdk has not really been tested in vmware.vmware but it is on the roadmap for the next major release. I did some testing locally and havnt run into issues